A ready-to-use guide for instructors, bootcamp trainers, CTF organizers, and security team leads who want to integrate OSS OopsSec Store into their curriculum or training sessions.
Quick start for your students:
npx create-oss-store my-lab
cd my-lab && npm start
# → http://localhost:3000Or with Docker (no Node.js required):
docker run -p 3000:3000 leogra/oss-oopssec-store- Why OopsSec Store?
- OWASP Coverage Grid
- Challenge Catalog & Time Estimates
- Syllabus Integration Guide
- Deployment FAQ
- Student Report Template
- Contact & Support
OopsSec Store is the only intentionally vulnerable web application built with Next.js and React: the stack your students will actually encounter in production.
| OopsSec Store | DVWA | Juice Shop | |
|---|---|---|---|
| Stack | Next.js · React · Prisma | PHP · MySQL | Node.js · Angular |
| Setup | npx create-oss-store (< 1 min) |
Manual / Docker | Docker |
| CTF format with flags | ✅ | ❌ | ✅ |
| Walkthroughs included | ✅ | Partial (hints) | ❌ |
| Modern API attack vectors | ✅ | ❌ | Partial |
| Actively maintained | ✅ | ✅ | |
| Hall of Fame for students | ✅ | ❌ | ❌ |
| Free & open source (MIT) | ✅ | ✅ | ✅ |
Each vulnerability hides a flag in the format OSS{...}. Walkthroughs are available at koadt.github.io/oss-oopssec-store (useful for debriefing sessions or when students get stuck.)
OopsSec Store covers the full OWASP Top 10 (2025) plus advanced topics relevant to modern web stacks.
| OWASP Category | Challenges covered |
|---|---|
| A01 - Broken Access Control | IDOR (wishlist), BOLA (API), Open Redirect, Path Traversal, Middleware Authorization Bypass (CVE-2025-29927), CSRF, CSRF + Self-XSS chain (profile takeover) |
| A02 - Security Misconfiguration | Public environment variable exposure, Information disclosure via API errors, XXE (supplier import) |
| A03 - Software Supply Chain Failures | No challenge currently maps directly to A03 — contributions welcome. |
| A04 - Cryptographic Failures | Weak JWT secret, Weak MD5 Hashing, Padding Oracle (AES-CBC), Insecure Randomness (gift card code generation) |
| A05 - Injection | Stored XSS (product reviews), Self-XSS (profile injection), SQL Injection (login), Product Search SQLi, Second-Order SQLi, X-Forwarded-For SQLi, Prompt Injection, MCP Server Poisoning |
| A06 - Insecure Design | Client-side price manipulation, Stored XSS via SVG upload, Race Condition Coupon Abuse |
| A07 - Authentication Failures | Session fixation & weak session management, Brute force (no rate limiting), Insecure password reset |
| A08 - Software or Data Integrity Failures | React2Shell - RSC RCE (CVE-2025-55182), Mass Assignment / Parameter Pollution |
| A09 - Security Logging & Alerting Failures | Plaintext password logging |
| A10 - Mishandling of Exceptional Conditions | No challenge currently maps directly to A10 — contributions welcome. |
Note on SSRF: The Server-Side Request Forgery challenge is tagged
A10:2021since SSRF was removed as a standalone category in the 2025 release — it is now implicitly covered under A01 Broken Access Control.
Difficulty: 🟢 Beginner · 🟡 Intermediate · 🔴 Advanced
| # | Challenge | Category | Difficulty | Est. time |
|---|---|---|---|---|
| 1 | Public Environment Variable Exposure | Information Disclosure | 🟢 | 15–20 min |
| 2 | Information Disclosure via API Errors | Information Disclosure | 🟢 | 15–20 min |
| 3 | IDOR - Private Wishlist Access | Broken Access Control | 🟢 | 20–30 min |
| 4 | Open Redirect via Login Page | Input Validation | 🟢 | 20–30 min |
| 5 | Stored XSS via Product Review | Injection | 🟢 | 30–45 min |
| 6 | Self-XSS - Profile Bio Injection | Injection | 🟢 | 20–30 min |
| 7 | SQL Injection (Login) | Injection | 🟡 | 30–45 min |
| 8 | Product Search SQL Injection | Injection | 🟡 | 30–45 min |
| 9 | Weak JWT Secret | Authentication | 🟡 | 45–60 min |
| 10 | Client-Side Price Manipulation | Input Validation | 🟡 | 30–45 min |
| 11 | Weak MD5 Hashing | Cryptographic | 🟡 | 30–45 min |
| 12 | Cross-Site Request Forgery (CSRF) | Request Forgery | 🟡 | 45–60 min |
| 13 | Mass Assignment / Parameter Pollution | Input Validation | 🟡 | 45–60 min |
| 14 | Path Traversal | Input Validation | 🟡 | 30–45 min |
| 15 | Server-Side Request Forgery (SSRF) | Request Forgery | 🟡 | 45–60 min |
| 16 | Session Fixation & Weak Session Management | Authentication | 🟡 | 60–90 min |
| 17 | Brute Force - No Rate Limiting | Authentication | 🟡 | 30–45 min |
| 18 | Insecure Password Reset | Authentication | 🟡 | 45–60 min |
| 19 | Broken Object Level Authorization (BOLA) | Authorization | 🟡 | 45–60 min |
| 20 | Plaintext Password in Server Logs | Information Disclosure | 🟡 | 30 min |
| 21 | Prompt Injection - AI Support Assistant | Injection | 🟡 | 60–90 min |
| 22 | Middleware Authorization Bypass (CVE-2025-29927) | Authorization | 🟡 | 30–45 min |
| 23 | Insecure Randomness — Gift Card Code | Cryptographic | 🟡 | 45–60 min |
| 24 | Second-Order SQL Injection | Injection | 🔴 | 60–90 min |
| 25 | XXE - Supplier Import Endpoint | Injection | 🔴 | 45–60 min |
| 26 | SVG Upload - Stored XSS | Injection | 🔴 | 45–60 min |
| 27 | X-Forwarded-For SQL Injection | Injection | 🔴 | 60–90 min |
| 28 | CSRF + Self-XSS Chain - Profile Takeover | Request Forgery | 🔴 | 90–120 min |
| 29 | Padding Oracle - AES-CBC Token Forgery | Cryptographic | 🔴 | 90–120 min |
| 30 | MCP Server Poisoning - Agent Manipulation | Injection | 🔴 | 90–120 min |
| 31 | React2Shell - RSC RCE (CVE-2025-55182) | RCE | 🔴 | 120+ min |
| 32 | Race Condition — Coupon Abuse | Business Logic | 🔴 | 45–90 min |
Total estimated time: 32–46 hours for the full curriculum depending on student level. You don't need to cover everything. Pick the challenges that match your course objectives and time constraints.
Designed for a 5-day security bootcamp with 3–4 hours of lab time per day.
| Day | Focus | Challenges |
|---|---|---|
| Day 1 | Recon & injection fundamentals | Public Env Variable, Info Disclosure API, SQL Injection (login), Product Search SQLi, X-Forwarded-For SQLi |
| Day 2 | Client-side attacks | Stored XSS (review), Self-XSS (profile), SVG Upload XSS, CSRF, CSRF + Self-XSS chain |
| Day 3 | Auth & access control | IDOR, BOLA, Open Redirect, Weak JWT, Session Fixation, Brute Force, Password Reset, Middleware Bypass (CVE-2025-29927) |
| Day 4 | Crypto, data & server-side | Weak MD5, Padding Oracle, Insecure Randomness (gift card), Plaintext Logs, Path Traversal, SSRF, Client-Side Price Manipulation, Mass Assignment |
| Day 5 | Advanced & AI security | Second-Order SQLi, XXE, Prompt Injection, MCP Poisoning, React2Shell RCE, Race Condition Coupon Abuse |
Debrief format: After each session, share the walkthrough URL for each challenge and run a 15-min group debrief. Encourage students to compare their approach with the official walkthrough.
Designed to complement a web security or application security course over 6–8 weeks, with one 2-hour lab session per week.
| Week | Topic | Challenges | Learning outcomes |
|---|---|---|---|
| 1 | Lab setup & recon | Public Env Variable, Info Disclosure API | Understand the app architecture and attack surface |
| 2 | SQL Injection | SQL Injection (login), Product Search SQLi, X-Forwarded-For SQLi | Identify and exploit injection in modern ORMs |
| 3 | XSS & client-side attacks | Stored XSS, Self-XSS (profile), SVG Upload XSS | Understand DOM context and stored payload execution |
| 4 | Access control & input validation | IDOR, BOLA, Open Redirect, Path Traversal, Client-Side Price Manipulation, Middleware Bypass (CVE-2025-29927) | Enumerate and exploit broken access controls |
| 5 | Auth & session management | Weak JWT, Session Fixation, Brute Force, Password Reset, Mass Assignment | Analyze authentication flaws in real flows |
| 6 | Cryptographic & logging failures | Weak MD5, Padding Oracle, Insecure Randomness (gift card), Plaintext Logs | Exploit weak crypto implementations |
| 7 | Request forgery & chaining | CSRF, SSRF, CSRF + Self-XSS chain | Chain low-severity bugs into critical exploits |
| 8 | Advanced injection & AI security | Second-Order SQLi, XXE, Prompt Injection, MCP Poisoning | Understand advanced injection and AI attack surfaces |
| 9 | Business logic & race conditions | Client-Side Price Manipulation, Race Condition Coupon Abuse | Exploit non-atomic state transitions and TOCTOU flaws |
Assessment: Use the Student Report Template as a graded deliverable for each challenge.
Designed for competitive CTF events with 10–30 participants.
Setup: Deploy one shared instance with Docker for the event, or have each participant run their own local instance.
# Shared instance (for organizers)
git clone https://github.com/kOaDT/oss-oopssec-store.git
cd oss-oopssec-store
docker compose up -d
# Per-participant instance
npx create-oss-store my-lab && cd my-lab && npm startScoring suggestion:
- 🟢 Beginner challenges: 100 pts each
- 🟡 Intermediate challenges: 250 pts each
- 🔴 Advanced challenges: 500 pts each
Hall of Fame: Participants who find all flags can submit a PR to the Hall of Fame to have their profile listed in the app.
Designed for pentesters or developers onboarding to a security-aware team.
Recommended path for developers (focus on understanding, not exploitation): Challenges 1–6 (recon & basics) → 7–8 (SQLi) → 12 (CSRF) → 14 (Path Traversal) → 21 (Prompt Injection). Focus on the "How to Fix" section of each walkthrough.
Recommended path for junior pentesters (focus on technique): Full catalog in order of difficulty. Target: complete all 32 challenges in 4–5 weeks of part-time practice.
Yes. Both the local Node.js and Docker setups are fully self-contained. No external network calls are required after initial setup.
# Pre-pull the Docker image on your network
docker pull leogra/oss-oopssec-store
# Students run locally with no internet
docker run -p 3000:3000 leogra/oss-oopssec-storeIt's not recommended. Each student should run their own local instance. Shared instances can cause flag collisions (a student capturing a flag that another already submitted) and pollute the database state.
Exception: for CTF events where competition is the goal, a shared instance is fine.
# Node.js setup
npm run setup # Re-seeds the database from scratch
# Docker setup
npm run docker:reset # Wipes all data and restarts freshNo. OopsSec Store must only be run in isolated environments (local machine or air-gapped VM). It contains intentional security flaws and must never be exposed to a production network or the internet.
Recommended setup for classrooms: each student runs the app on their own machine via localhost. No shared network exposure needed.
| Setup | Requirements |
|---|---|
| Node.js | Node 18+, npm |
| Docker | Docker Desktop or Docker Engine |
| Disk space | ~500 MB |
| RAM | 512 MB minimum, 1 GB recommended |
Yes, contributions are welcome. See CONTRIBUTING.md. New challenges should include a flag in seed.ts and a markdown walkthrough in content/vulnerabilities/.
Use this template as a graded deliverable for each challenge. Students should complete one report per vulnerability exploited.
# Vulnerability Report - [Challenge Name]
**Student name:** **\*\***\_\_\_**\*\***
**Date:** **\*\***\_\_\_**\*\***
**Challenge difficulty:** 🟢 Beginner / 🟡 Intermediate / 🔴 Advanced
---
## 1. Vulnerability Summary
> In 2–3 sentences, describe the vulnerability in your own words.
> What is it? Where is it located in the application?
[Your answer here]
---
## 2. Steps to Reproduce
> List the exact steps you followed to exploit the vulnerability.
> Be precise enough that someone else could reproduce it.
1.
2.
3.
---
## 3. Proof of Exploitation
> Paste the flag you captured, and include a screenshot or HTTP request
> showing the successful exploit.
**Flag:** `OSS{...}`
**Evidence:**
[Screenshot / HTTP request / payload]
---
## 4. Root Cause Analysis
> Why does this vulnerability exist?
> What insecure code pattern or configuration makes it possible?
[Your answer here]
---
## 5. Remediation
> How would you fix this vulnerability?
> Reference OWASP guidance or best practices where relevant.
[Your answer here]
---
## 6. OWASP Classification
> Which OWASP Top 10 category does this vulnerability belong to?
> Justify your answer.
**Category:** A0X - [Name]
**Justification:** [Your answer here]
---
## 7. Reflection
> What did you learn from this challenge?
> Was anything surprising or harder than expected?
[Your answer here]- Issues & bug reports: github.com/kOaDT/oss-oopssec-store/issues
- Discussions & questions: github.com/kOaDT/oss-oopssec-store/discussions
- Walkthroughs: koadt.github.io/oss-oopssec-store
- Email: koadt@proton.me
If you use OopsSec Store in your course or event, I'd love to hear about it. Open a Discussion or send an email. Feedback from educators directly shapes the roadmap.
Last updated: March 2026. New challenges may have been added since this guide was written/updated.
OSS OopsSec Store is MIT-licensed. Free to use, adapt, and share. Do not deploy in production environments. For educational use only.