{"id":36092708,"url":"https://github.com/kOaDT/oss-oopssec-store","last_synced_at":"2026-01-15T23:00:43.568Z","repository":{"id":330041843,"uuid":"1118475908","full_name":"kOaDT/oss-oopssec-store","owner":"kOaDT","description":"Run `npx create-oss-store`, open your browser, and start hunting flags. Deliberately vulnerable Next.js e-commerce for web security training and CTF use.","archived":false,"fork":false,"pushed_at":"2026-01-12T15:30:14.000Z","size":875,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-12T18:56:38.181Z","etag":null,"topics":["appsec","ctf","ctf-challenges","cve","cybersecurity","hacking","javascript","nextjs","open-source","oss","owasp-top10","penetration-testing","purple-team","rce","reactjs","red-team","typescript","vulnerable-web-app","web-security"],"latest_commit_sha":null,"homepage":"https://koadt.github.io/oss-oopssec-store/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kOaDT.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-17T20:13:59.000Z","updated_at":"2026-01-12T15:30:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kOaDT/oss-oopssec-store","commit_stats":null,"previous_names":["koadt/oss-oopssec-store"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/kOaDT/oss-oopssec-store","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kOaDT%2Foss-oopssec-store","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kOaDT%2Foss-oopssec-store/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kOaDT%2Foss-oopssec-store/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kOaDT%2Foss-oopssec-store/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kOaDT","download_url":"https://codeload.github.com/kOaDT/oss-oopssec-store/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kOaDT%2Foss-oopssec-store/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28473974,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T22:27:41.514Z","status":"ssl_error","status_checked_at":"2026-01-15T21:54:47.910Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","ctf","ctf-challenges","cve","cybersecurity","hacking","javascript","nextjs","open-source","oss","owasp-top10","penetration-testing","purple-team","rce","reactjs","red-team","typescript","vulnerable-web-app","web-security"],"created_at":"2026-01-10T20:00:25.073Z","updated_at":"2026-01-15T23:00:43.560Z","avatar_url":"https://github.com/kOaDT.png","language":"TypeScript","funding_links":[],"categories":["Technologies","Practices","Vulnerable Web Applications","OWASP Top 10","Learning Platforms to Sharpen Your Skills","Secure Software Development (OWASP)"],"sub_categories":["Application","Off-Line"],"readme":"\u003cdiv align=\"center\"\u003e\n\u003ch1\u003eOSS - OopsSec Store\u003c/h1\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"\"\u003e\n\n```\n   ____  ____ ____     ____                  ____            ____  _\n  / __ \\/ __// __/    / __ \\ ___   ___  ___ / __/ ___  ____ / __/ / /_ ___   ____ ___\n / /_/ /\\ \\ _\\ \\     / /_/ // _ \\ / _ \\(_-\u003c_\\ \\  / -_)/ __/_\\ \\  / __// _ \\ / __// -_)\n \\____/___//___/     \\____/ \\___// .__/___/___/  \\__/ \\__//___/  \\__/ \\___//_/   \\__/\n                                /_/\n  $ npx create-oss-store\n  $ cd my-oss-store \u0026\u0026 npm run dev\n\n  → Open http://localhost:3000 and start hunting flags\n```\n\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eAn intentionally vulnerable e-commerce application for hands-on web security training.\u003c/b\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eMaster real-world attack vectors through a realistic Capture The Flag platform. Hunt for flags, exploit vulnerabilities, and level up your security skills.\u003c/b\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/kOaDT/oss-oopssec-store/blob/main/CONTRIBUTING.md\"\u003eContributing\u003c/a\u003e |\n  \u003ca href=\"https://github.com/users/kOaDT/projects/3\"\u003eRoadmap\u003c/a\u003e |\n  \u003ca href=\"https://medium.com/@oopssec-store\"\u003eWriteUps\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![GitHub license](https://img.shields.io/github/license/kOaDT/oss-oopssec-store?style=flat-square)](https://github.com/kOaDT/oss-oopssec-store/blob/main/LICENSE)\n[![npm version](https://img.shields.io/npm/v/create-oss-store?style=flat-square)](https://www.npmjs.com/package/create-oss-store)\n[![npm downloads](https://img.shields.io/npm/dm/create-oss-store?style=flat-square)](https://www.npmjs.com/package/create-oss-store)\n\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![GitHub issues](https://img.shields.io/github/issues/kOaDT/oss-oopssec-store?style=flat-square)](https://github.com/kOaDT/oss-oopssec-store/issues)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen?style=flat-square)](https://github.com/kOaDT/oss-oopssec-store/pulls)\n![Intentionally Vulnerable](https://img.shields.io/badge/⚠️_Intentionally-Vulnerable-red?style=flat-square)\n[![GitHub stars](https://img.shields.io/github/stars/kOaDT/oss-oopssec-store?style=social)](https://github.com/kOaDT/oss-oopssec-store/stargazers)\n\n\u003c/div\u003e\n\n---\n\nOSS – OopsSec Store is an open-source, intentionally vulnerable e-commerce application built with Next.js and React. It provides a realistic environment to learn and practice web application security testing, including OWASP Top 10 vulnerabilities, API security flaws, and modern frontend attack vectors.\n\nDesigned for penetration testers, security engineers, developers, and cybersecurity students, this project demonstrates how real-world vulnerabilities manifest in production-like single-page applications (SPA) with REST APIs.\n\n**Warning:** This application contains intentional security flaws and must never be deployed in a production environment.\n\n## Features\n\n- Realistic e-commerce application with intentional security vulnerabilities (XSS, CSRF, IDOR, JWT attacks, path traversal, and more)\n- Modern tech stack: Next.js, React, Prisma\n- API security testing environment with documented attack vectors\n- Capture The Flag (CTF) challenges with hidden flags to discover\n- Comprehensive vulnerability documentation for learning and training\n- Suitable for security awareness training, penetration testing practice, and AppSec education\n\n---\n\n## Recent activity [![Time period](https://images.repography.com/103508692/kOaDT/oss-oopssec-store/recent-activity/Q7MububoYUVlm99MQWYW12szb_gGlehkuutaTn9WlA4/8o02KXC0HvWi_KfBHD6iD-qSBHSu0s9Y_rns1fvWSjg_badge.svg)](https://repography.com)\n\n[![Timeline graph](https://images.repography.com/103508692/kOaDT/oss-oopssec-store/recent-activity/Q7MububoYUVlm99MQWYW12szb_gGlehkuutaTn9WlA4/8o02KXC0HvWi_KfBHD6iD-qSBHSu0s9Y_rns1fvWSjg_timeline.svg)](https://github.com/kOaDT/oss-oopssec-store/commits)\n[![Trending topics](https://images.repography.com/103508692/kOaDT/oss-oopssec-store/recent-activity/Q7MububoYUVlm99MQWYW12szb_gGlehkuutaTn9WlA4/8o02KXC0HvWi_KfBHD6iD-qSBHSu0s9Y_rns1fvWSjg_words.svg)](https://github.com/kOaDT/oss-oopssec-store/commits)\n\n---\n\n## Installation\n\n### Quick Start\n\n```bash\nnpx create-oss-store my-ctf-lab\ncd my-ctf-lab\nnpm run dev\n```\n\nThen open http://localhost:3000 in your browser.\n\n### Manual Setup\n\nAlternatively, clone the repository and run the setup script:\n\n```bash\ngit clone https://github.com/kOaDT/oss-oopssec-store.git\ncd oss-oopssec-store\nnpm run setup\n```\n\nThe setup script will create the `.env` file, install dependencies, initialize the SQLite database, seed it with CTF flags, and start the application on port 3000.\n\n---\n\n## Project Structure\n\n[![Structure](https://images.repography.com/103508692/kOaDT/oss-oopssec-store/structure/Q7MububoYUVlm99MQWYW12szb_gGlehkuutaTn9WlA4/xqocpGlYz1v1FH126K5mqp7WjOcy1VH9pbA-EuINusA_table.svg)](https://github.com/kOaDT/oss-oopssec-store)\n\n| Folder                     | Description                                                              |\n| -------------------------- | ------------------------------------------------------------------------ |\n| `app/`                     | Next.js App Router – pages, API routes, and React components             |\n| `app/api/`                 | REST API endpoints (auth, cart, orders, products, flags, etc.)           |\n| `app/components/`          | Reusable React UI components (Header, Footer, ProductCard, etc.)         |\n| `app/vulnerabilities/`     | Pages documenting each security vulnerability                            |\n| `content/vulnerabilities/` | Markdown files describing vulnerabilities, attack vectors, and solutions |\n| `lib/`                     | Shared utilities: database client, authentication, API helpers, types    |\n| `prisma/`                  | Database schema, migrations, and seed script with CTF flags              |\n| `public/`                  | Static assets and exploit payloads (e.g., CSRF attack demo)              |\n| `hooks/`                   | Custom React hooks (authentication, etc.)                                |\n| `scripts/`                 | Setup and automation scripts                                             |\n| `docs/`                    | Static documentation site                                                |\n| `packages/`                | NPM package `create-oss-store` for quick project scaffolding             |\n\n---\n\n## Disclaimer\n\nThis project is intended for educational and authorized security testing purposes only.\n\nIt contains intentional security vulnerabilities and insecure configurations. The authors assume no responsibility for any misuse, damage, or unauthorized access resulting from the use of this software. Use responsibly and only in isolated environments.\n\n---\n\n## Contributing\n\nOSS – OopsSec Store is released under the MIT License. Contributions from the security community are welcome.\n\nWays to contribute:\n\n- **Add new security challenges**\n- **Extend the application**\n- **Report and fix bugs**\n- **Improve documentation**\n\nLooking for ideas? Check out our [Roadmap project](https://github.com/users/kOaDT/projects/3) for planned features and vulnerabilities you can help implement.\n\nFor issues or suggestions, please open a [GitHub Issue](https://github.com/kOaDT/oss-oopssec-store/issues).\n\nFor contribution guidelines, see [CONTRIBUTING.md](CONTRIBUTING.md).\n\n\u003c!-- [![Issue status graph](https://images.repography.com/103508692/kOaDT/oss-oopssec-store/recent-activity/Q7MububoYUVlm99MQWYW12szb_gGlehkuutaTn9WlA4/8o02KXC0HvWi_KfBHD6iD-qSBHSu0s9Y_rns1fvWSjg_issues.svg)](https://github.com/kOaDT/oss-oopssec-store/issues)\n[![Pull request status graph](https://images.repography.com/103508692/kOaDT/oss-oopssec-store/recent-activity/Q7MububoYUVlm99MQWYW12szb_gGlehkuutaTn9WlA4/8o02KXC0HvWi_KfBHD6iD-qSBHSu0s9Y_rns1fvWSjg_prs.svg)](https://github.com/kOaDT/oss-oopssec-store/pulls) --\u003e\n\u003c!-- [![Activity map](https://images.repography.com/103508692/kOaDT/oss-oopssec-store/recent-activity/Q7MububoYUVlm99MQWYW12szb_gGlehkuutaTn9WlA4/8o02KXC0HvWi_KfBHD6iD-qSBHSu0s9Y_rns1fvWSjg_map.svg)](https://github.com/kOaDT/oss-oopssec-store/commits) --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FkOaDT%2Foss-oopssec-store","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FkOaDT%2Foss-oopssec-store","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FkOaDT%2Foss-oopssec-store/lists"}