OopsSec Store
RSS FeedAn intentionally vulnerable e-commerce application for hands-on web security training. Master real-world attack vectors through a realistic Capture The Flag platform. Hunt for flags, exploit vulnerabilities, and level up your security skills.
# With Node.js
$ npx create-oss-store && cd oss-oopssec-store && npm start
# With Docker
$ docker run -p 3000:3000 leogra/oss-oopssec-store
# → Open http://localhost:3000 and start hackingRead the blog posts or check README for more info.
Recent Posts
-
Race Condition: abusing a single-use coupon with concurrent requests
OopsSec Store validates a coupon and increments its counter in two separate database calls. Send enough concurrent requests and several slip through the check before any of them completes the increment.
-
Middleware Authorization Bypass: Skipping Next.js Auth with a Single Header (CVE-2025-29927)
Exploiting CVE-2025-29927 to bypass Next.js middleware-based authentication using the x-middleware-subrequest internal header, accessing a protected internal status page without credentials.
-
Malicious MCP Server: Poisoning an AI Agent Through Tool Responses
We host a malicious MCP server whose tool responses trick OSSBot into calling a restricted internal tool and leaking the flag.
-
Padding oracle attack: forging encrypted share tokens
A padding oracle in OopsSec Store's share feature leaks whether decryption produced valid PKCS#7 padding. That's enough to forge a token for an internal report and grab the flag.
-
Profile Takeover: Chaining Self-XSS with CSRF
A Self-XSS in the profile bio editor is harmless on its own. Chain it with a missing CSRF token on the update endpoint and you get cross-user profile takeover.
-
Open Redirect: Accessing Internal Pages via Login Redirect
Exploit an unvalidated redirect parameter on OopsSec Store's login page to reach a restricted internal OAuth callback endpoint.
-
Session Fixation: Hijacking an Admin Account Through Support Access
Exploiting a mass assignment flaw in a support access token endpoint to generate a session for the admin account and access the admin dashboard.
-
Insecure Password Reset: Predictable Token Forgery
Exploit a predictable password reset token generation mechanism to take over any user account.
-
XML External Entity Injection: Exploiting a Legacy Supplier Import Endpoint
Exploiting an insecure XML parser in the supplier order import feature to read arbitrary server-side files and retrieve a flag.
-
Plaintext Password Exposure: Exploiting Server Logs via a Hidden SIEM Interface
Exploiting a forgotten debug statement that logs plaintext passwords and a hidden SIEM dashboard with hardcoded credentials to retrieve a flag.