Cybersecurity Training with OSS – OopsSec Store
CybersecurityWebSecurityOWASPCTFTraining
OSS – OopsSec Store is an open-source, intentionally vulnerable web application designed for cybersecurity training. Built with Next.js and React, it simulates a realistic e-commerce environment to help users practice identifying and exploiting OWASP Top 10 vulnerabilities, API security flaws, and modern frontend attack vectors.
Key Points
- Purpose-built for security training: Realistic vulnerabilities in a modern tech stack (Next.js, React, Prisma).
- CTF-focused: Hidden flags and documented attack vectors for interactive learning.
- OWASP Top 10 coverage: Includes XSS, CSRF, IDOR, JWT attacks, path traversal, and more.
- Self-hosted and easy to deploy: Quick setup via
npx create-oss-storeor manual cloning. - Educational resources: Detailed vulnerability documentation and project structure for transparency.
Why Use OopsSec Store?
For Security Professionals
- Practice penetration testing in a controlled, legal environment.
- Test API security with REST endpoints and modern frontend attack vectors.
- Benchmark skills with progressively challenging CTF flags.
For Developers
- Learn secure coding by identifying and fixing vulnerabilities in a production-like SPA.
- Understand real-world risks (e.g., how JWT misconfigurations lead to account takeovers).
- Integrate security awareness into development workflows.
For Educators & Students
- Teach web security with hands-on labs and structured documentation.
- Supplement coursework with a ready-to-use training platform.
- Encourage collaboration through community contributions and roadmap-driven challenges.
Vulnerabilities Covered
| Category | Examples |
|---|---|
| Injection | SQLi, NoSQLi, OS command injection |
| Broken Authentication | JWT attacks, weak session management, credential stuffing |
| Sensitive Data Exposure | Hardcoded secrets, improper logging, insecure API responses |
| XML External Entities (XXE) | Malicious XML payloads, file disclosure |
| Broken Access Control | IDOR, privilege escalation, insecure direct object references |
| Security Misconfig | Default credentials, exposed debug endpoints, CORS misconfigurations |
| Cross-Site Scripting (XSS) | Stored, reflected, and DOM-based XSS |
| Insecure Deserialization | JavaScript object manipulation, prototype pollution |
| CSRF | Cross-Site Request Forgery with demo payloads |
| API Security | Mass assignment, excessive data exposure, rate limiting bypasses |
Getting Started
Quick Deployment
npx create-oss-store my-security-lab
cd my-security-lab
npm run dev
Access the application at http://localhost:3000.
Manual Setup
git clone https://github.com/kOaDT/oss-oopssec-store.git
cd oss-oopssec-store
npm run setup # Initializes DB, seeds flags, and starts the app
Project Structure Overview
| Directory | Purpose |
|---|---|
app/ | Next.js pages, API routes, and React components |
app/vulnerabilities/ | Pages documenting each vulnerability (e.g., /vulnerabilities/xss) |
content/vulnerabilities/ | Markdown files with attack vectors, solutions, and learning resources |
prisma/ | Database schema, migrations, and CTF flag seeds |
public/ | Static assets (e.g., exploit payloads, screenshots) |
docs/ | Static documentation site |
Best Practices for Use
- Isolate the environment: Run OopsSec Store in a virtual machine or Docker container to prevent accidental exposure.
- Document findings: Use the built-in vulnerability pages to log exploits and solutions.
- Contribute back: Report bugs, suggest new challenges, or improve documentation via GitHub Issues.
- Combine with tools: Pair with Burp Suite, OWASP ZAP, or Postman for advanced testing.
- Review the disclaimer: Ensure compliance with local laws and ethical guidelines.
Learn More
Advanced Use Cases
- Red Team Exercises: Simulate real-world attacks in a controlled environment.
- Secure Coding Workshops: Use the codebase to demonstrate secure vs. insecure patterns.
- Bug Bounty Preparation: Practice identifying vulnerabilities before participating in public programs.
Community Resources
- GitHub Repository
- NPM Package
- ROADMAP.md (Planned features and vulnerabilities)
- CONTRIBUTING.md (How to contribute)
Disclaimer
This project is for educational and authorized security testing only. The authors are not liable for misuse, damage, or unauthorized access resulting from its use. Always deploy in isolated environments and adhere to ethical guidelines.