SQL Injection Vulnerability in OopsSec Store Allows Full Database Extraction

17 Jan 2026

cybersecuritySQL injectionvulnerabilityresearchNext.jseducationalweb applicationAPI securitydatabase exploitationethical hacking

The OopsSec Store application, designed as a vulnerable environment for cybersecurity research, contains an exploitable SQL injection flaw via the order status filter. The entry point is a POST request to /api/orders/search with a JSON field status. By injecting a malicious payload (e.g., UNION SELECT), an attacker can extract the entire users table, including usernames, passwords, and roles. The vulnerability stems from direct string concatenation in the SQL query without parameterization or escaping. The application, built with Next.js, is intended for local and educational use. A flag (OSS{sql_1nj3ct10n_vuln3r4b1l1ty}) is returned upon successful exploitation. Source: https://medium.com/@oopssec-store/sql-injection-in-oopssec-store-from-dropdown-to-database-dump-d801ee99684a