Security Lab Exploits Vulnerability Chain in Next.js Web App *OopsSec Store*

A security lab has exploited a chain of vulnerabilities in a vulnerable web application called OopsSec Store, developed using Next.js. The attack combines an SQL injection to retrieve the user table (including emails, roles, and unsalted MD5-hashed passwords) and the cracking of weak MD5 hashes. The administrator account (email: admin@oss.com, password: admin) is compromised using tools like CrackStation or crack-hash. Access to the admin interface (/admin) reveals the flag OSS{w34k_md5_h4sh1ng}. The application uses non-parameterized queries and an outdated MD5 hashing method, violating security best practices. The project is intended for educational use in an isolated local environment.