Releases: kOaDT/oss-oopssec-store
v2.3.1
Bug Fixes
- Fixed Stored XSS vulnerability in production builds: Uploaded SVG files now work correctly in production mode (
npm start). Previously, files uploaded after build time returned HTTP 404 errors until the server was restarted. Files are now served dynamically through a new/api/uploads/API route with proper path traversal protection and MIME type validation.
Special thanks to @h0ng10 for identifying and reporting the issue.
Improvements
- Enhanced project documentation: Migrated from CLAUDE.md to Cursor rules and AGENTS.md for better integration with development environments.
- Updated README: Added new Repography statistics.
What's New
- Brute Force vulnerability walkthrough: Added walkthrough for the brute force flag challenge.
Documentation
- Fixed BOLA vulnerability documentation: Added missing
walkthroughSlugfield to the BOLA vulnerability.
v2.3.0
What's New
- Added new BOLA (Broken Object Level Authorization) vulnerability.
Improvements
- Enhanced the prompt injection documentation with clearer explanations and more concrete examples, making the content easier to understand and apply for security-focused readers.
Maintenance / Chore
- Fixed a minor typo in
CONTRIBUTING.md.
v2.2.0
What's New
- AI Assistant Prompt Injection Vulnerability: Added an intentional prompt injection vulnerability to AI assistant component. This vulnerability demonstrates how AI systems can be manipulated through carefully crafted user inputs to bypass intended constraints and reveal sensitive information.
v2.1.1
What's New
- Added 404 and 500 error pages for improved error handling
- Introduced PDF invoice generation system with automatic invoice creation on order placement
- Added directory browsing and PDF viewing functionality on the admin documents page
Bug Fixes
- Fixed npm package installation to include building step
- Fixed typo in Astro homepage command documentation
Maintenance / Chore
- Moved documents page to admin section with proper access controls
v2.1.0
What's New
- X-Forwarded-For Header SQL Injection Vulnerability: Added a new training vulnerability demonstrating SQL injection attacks through the
X-Forwarded-Forheader with silent visitor tracking via aVisitorTrackercomponent - Admin Analytics Page: Introduced
/admin/analyticsdashboard with vulnerability-specific rendering techniques - Visitor Tracking Endpoint: Created
/api/trackingendpoint that processes visitor data and detects SQL injection attempts - Exploitation Documentation: Added comprehensive walkthrough documentation for the X-Forwarded-For SQL injection vulnerability
Improvements
- File Upload XSS Attack Chain: Enhanced the malicious file upload vulnerability to demonstrate cross-user impact scenarios
- Exploitation Guides: Added detailed walkthrough documentation for file upload-related attacks
v2.0.0
What's New
-
Player Dashboard
Introduced a new/player-dashboardpage to track CTF progress with clear visual indicators, including overall completion, difficulty and category breakdowns, elapsed time since project initialization, and direct access to related documentation. -
Persistent Flag Progress Tracking
Flag tracking has been migrated from browserlocalStorageto a database-backed system. Progress is now persisted across sessions, with timestamps recorded for each captured flag. -
Walkthrough Documentation Site
Added a full static documentation website containing in-depth walkthroughs for all vulnerabilities, including XSS, JWT, IDOR, SSRF, mass assignment, weak cryptography, and client-side logic flaws. The site includes search, comments, analytics, and is fully compatible with GitHub Pages: https://koadt.github.io/oss-oopssec-store/
Security
-
XSS Challenge Redesign
The XSS vulnerability has been redesigned to remove automatic flag disclosure. Players must now perform a meaningful exploitation by chaining XSS with same-origin static file access, increasing the educational value of the challenge. -
JWT Vulnerability Realism
Replaced the unrealisticalg: noneJWT setup with HS256 using a weak secret, providing a more practical and instructive exploitation scenario.
Bug Fixes
On Walkthrough Documentation Site:
- Fixed Pagefind bundle path handling to ensure search works correctly when deployed under a base path.
- Corrected breadcrumb navigation issues on the walkthroughs website.
- Excluded documentation files from Next.js TypeScript compilation to prevent build errors.
- Resolved hardcoded URLs across Astro components to ensure proper behavior on GitHub Pages.
- Added
.nojekyllto prevent unwanted Jekyll processing on GitHub Pages. - Fixed Open Graph image paths for correct social sharing previews.
Improvements
- Improved documentation site build and configuration to fully support GitHub Pages subpath deployments.
- Refined CI/CD workflows to deploy documentation from the main branch only for production stability.
Breaking Changes
- Flag Progress Storage Change
Flag progress is no longer stored in browserlocalStorageand is now persisted in the database.
Who is impacted: Existing players with progress stored locally.
v1.11.0
What's New
-
New Brute Force Vulnerability Challenge: Added a new authentication challenge featuring a user account (
vis.bruta@example.com) vulnerable to brute force attacks due to the absence of rate limiting. Players must use password cracking techniques against a weak password from common wordlists to retrieve the flagOSS{brut3_f0rc3_n0_r4t3_l1m1t}. -
Enhanced CSRF Exploit Interface: The CSRF exploit demonstration now features a realistic Mail mode interface with a convincing PayPal security alert phishing scenario, providing a more authentic learning experience for understanding cross-site request forgery attacks.
Improvements
-
News Page Data Leak Enhancement: Updated the leaked data section to display email addresses alongside password hashes, with some entries showing redacted hashes to simulate realistic breach scenarios.
-
Flag Toast Notification System: Implemented a persistent flag notification system that displays on the home page after successful challenge completion
-
CSRF Documentation Updates: Clarified the distinction between localStorage-based and cookie-based CSRF scenarios, with improved explanations about same-origin versus cross-site attack vectors. (See: https://github.com/users/kOaDT/projects/3/views/1?pane=issue&itemId=150216546&issue=kOaDT%7Coss-oopssec-store%7C25)
Maintenance / Chore
- Database Seeding Improvements: Modified flag seeding logic to use upsert operations instead of createMany, allowing new flags to be added without recreating the entire dataset.
v1.10.1
v1.10.0
What's New
- Hall of Fame page: Community-driven player profiles page
- New flags: Added two new flags for security testing:
- Product search with SQL injection vulnerability
- Session fixation and weak session management vulnerability
Improvements
- Weak MD5 hashing vulnerability: Updated to require chained vulnerability exploitation. The MD5 hash is no longer displayed on the
/newspage; it must be discovered by chaining exploits such as SQL injection - Replaced ROADMAP.md with GitHub project and updated related links
Maintenance / Chore
- Removed redundant cookie-based authentication code
v1.9.0
What's New
- Added malicious file upload vulnerability demonstration with stored XSS
- Includes admin product image management page with file upload functionality
- Demonstrates weak Content-Type validation allowing SVG files containing JavaScript
- Returns flag when malicious SVG content is detected
- Added favicon to the application
Bug Fixes
- Fixed writeups link in footer
Improvements
- Redesigned README header with centered layout and updated copy
- Added ASCII to create-oss-store CLI, setup.sh, and browser console welcome message
- Updated badges section with additional metrics
- Added CLAUDE.md with project context and documentation references