Vulnerable Lab "OopsSec Store" Exposes User Orders via IDOR Flaw

23 Jan 2026

cybersecuritypenetration_testingvulnerabilityIDORdata_breachNext.jseducational_toolweb_securityethical_hackinginsecure_direct_object_reference

A vulnerable laboratory named OopsSec Store, designed for penetration testing, features an Insecure Direct Object Reference (IDOR) vulnerability that allows access to other users' orders. The exploit involves manually modifying a sequential identifier (e.g., ORD-004 → ORD-001) in the order confirmation URL without server-side ownership verification. The vulnerability exposes personal data (name, email, address, order details) and reveals a validation flag (OSS{1ns3cur3_d1r3ct_0bj3ct_r3f3rc3}). The project, developed in Next.js, is available locally via the command npx create-oss-store and is intended for educational use in an isolated environment. Source: https://medium.com/@oopssec-store/breaking-order-privacy-with-idor-in-oopssec-store-9f479f9354fb