____  ____ ____     ____                  ____            ____  _
  / __ \/ __// __/    / __ \ ___   ___  ___ / __/ ___  ____ / __/ / /_ ___   ____ ___
 / /_/ /\ \ _\ \     / /_/ // _ \ / _ \(_-<_\ \  / -_)/ __/_\ \  / __// _ \ / __// -_)
 \____/___//___/     \____/ \___// .__/___/___/  \__/ \__//___/  \__/ \___//_/   \__/
                                /_/

# Node.js
npx create-oss-store my-ctf-lab && cd my-ctf-lab && npm start

# Docker
docker run -p 3000:3000 leogra/oss-oopssec-store

# Then open http://localhost:3000 and start hacking

[!WARNING] This application contains intentional security flaws and must never be deployed in a production environment.

Features

• Intentionally vulnerable e-commerce app (XSS, CSRF, IDOR, JWT attacks, path traversal, SQL injection, and more)
• Built with Next.js, React, Prisma, and SQLite
• REST API with documented attack vectors
• CTF challenges with hidden flags
• Vulnerability documentation and community walkthroughs for each challenge
• Automated tests that verify exploits still work (PRs that accidentally fix a vuln will fail CI)

Installation

Quick start

npx create-oss-store my-ctf-lab
cd my-ctf-lab
npm start

Then open http://localhost:3000 in your browser.

Manual setup

Clone the repo and run the setup script:

git clone https://github.com/kOaDT/oss-oopssec-store.git
cd oss-oopssec-store
npm run setup

This creates the .env file, installs dependencies, sets up the SQLite database, seeds it with CTF flags, and starts the app on port 3000.

Docker

No Node.js required. Just Docker.

From Docker Hub (quickest)

docker run -p 3000:3000 leogra/oss-oopssec-store

To persist data across restarts:

docker run -p 3000:3000 -v oss-data:/app/data leogra/oss-oopssec-store

From source (Docker Compose)

git clone https://github.com/kOaDT/oss-oopssec-store.git
cd oss-oopssec-store
docker compose up -d

Or using the npm helper scripts:

npm run docker:up       # Start in background (builds image on first run)
npm run docker:logs     # Follow container logs
npm run docker:down     # Stop the container
npm run docker:reset    # Wipe data and restart fresh

The database initializes on first start. Data persists across restarts via Docker named volumes. To reset everything (flag progress, users, uploads), run npm run docker:reset.

Hall of fame

Found all the flags? Open a pull request to join the Hall of Fame. Add your entry to hall-of-fame/data.json and your profile will show up on the /hall-of-fame page in the app.

Testing

The project includes security regression tests that make sure all exploit chains and flags still work. These tests deliberately validate insecure behavior. They run on every PR, so if you accidentally patch a vulnerability, CI will catch it.

Running tests

# Unit tests (utility functions: MD5 hashing, JWT, input filters)
npm run test:unit

# API exploitation tests (requires a running server)
npm run test:api

# E2E exploitation tests (requires a running server)
npm run test:e2e

# Open Cypress interactive mode
npm run test:e2e:open

# All tests
npm run test:ci

Disclaimer

[!CAUTION] This project is for educational and authorized security testing only. It contains intentional vulnerabilities and insecure configurations. The authors are not responsible for any misuse, damage, or unauthorized access. Use it in isolated environments.

Contributing

OSS – OopsSec Store is MIT-licensed. Contributions are welcome.

Ways to contribute:

• Add new security challenges
• Write or improve walkthroughs
• Extend the application
• Report and fix bugs
• Improve documentation

Check the Roadmap for planned work, or grab a good first issue.

Found all the flags? Share your walkthroughs on the docs site.

For bugs or suggestions, open a GitHub Issue. See CONTRIBUTING.md for guidelines.