Skip to main content
Cyber Hub
Follow us
Return to the home page

OopsSec Store

Learn web security by hacking a real-looking app

OopsSec Store is a free, open-source training platform for web security. You install a fake online shop on your own machine — one we deliberately filled with real security bugs — then learn by finding and exploiting them yourself. A structured course of 35 guided challenges takes you from your first vulnerability to advanced AI and supply-chain attacks.

1. Run the lab locally

No cloud account, no external dependencies. Both methods launch the app on localhost:3000.

npm

Scaffold a fresh project

$ npx create-oss-store my-ctf-lab
$ cd my-ctf-lab && npm start
View on npmjs.com

Docker

One command, ready to go

$ docker run -p 3000:3000 leogra/oss-oopssec-store
View on Docker Hub

2. Work through the curriculum

35 challenges across 11 chapters, from reconnaissance to cryptography, AI/LLM, and supply-chain attacks. Each card links to a walkthrough — but try to find the bug yourself first. The skill comes from the hunt, not from reading the answer.

  1. Chapter 01 / 11

    Reconnaissance & Disclosure

    Most attacks start with reading, not exploiting.

  2. Chapter 02 / 11

    Broken Access Control

    The bug almost every API has somewhere.

  3. Chapter 03 / 11

    Trusting the Client

    Whatever the browser sends, the server has to verify.

  4. Chapter 04 / 11

    Cross-Site Attacks

    Your input, running in someone else's browser.

  5. Chapter 05 / 11

    SQL Injection Deep Dive

    One quote, one query, one breach.

  6. Chapter 06 / 11

    Parsers Behaving Badly

    Parsers go where your business logic can't.

  7. Chapter 07 / 11

    Authentication Failures

    Login is a feature. Auth is a system.

  8. Chapter 08 / 11

    Server-Side Request Forgery

    Make the server fetch what you can't.

  9. Chapter 09 / 11

    Cryptography Done Wrong

    Modern crypto is safe by default. Until it isn't.

  10. Chapter 10 / 11

    AI & LLM Security

    The new attack surface nobody trained for.

  11. Chapter 11 / 11

    Supply Chain & Framework

    Your code is fine. The 800 packages around it aren't.

Security disclaimer

OopsSec Store contains intentional security flaws and must never be deployed on a public server or in a production environment. Run it exclusively in isolated, local environments for educational and authorized security testing purposes only.

Contribute

OopsSec Store is community-driven. There are many ways to get involved.

Roadmap
See what challenges are planned next
Good first issues
Beginner-friendly contributions
Open an issue
Report a bug or suggest a challenge
Discussions
Ask questions, share writeups
Source on GitHubCurriculum and walkthroughs

About OopsSec Store

OopsSec Store is an open-source, deliberately vulnerable e-commerce application for hands-on security training. Built with Next.js, React, TypeScript, Prisma, and SQLite, it reproduces flaws that appear in real production codebases across the OWASP Top 10, plus chapters on emerging AI/LLM and supply-chain threats. Automated regression tests keep the vulnerabilities exploitable, so the lab stays usable as the project evolves.