v1.9.0

What's New

• Added malicious file upload vulnerability demonstration with stored XSS
  • Includes admin product image management page with file upload functionality
  • Demonstrates weak Content-Type validation allowing SVG files containing JavaScript
  • Returns flag when malicious SVG content is detected
• Added favicon to the application

Bug Fixes

• Fixed writeups link in footer

Improvements

• Redesigned README header with centered layout and updated copy
• Added ASCII to create-oss-store CLI, setup.sh, and browser console welcome message
• Updated badges section with additional metrics
• Added CLAUDE.md with project context and documentation references

v1.8.0

What's New

• Added difficulty and category metadata to flags, with a corresponding UI to better classify and navigate challenges.
• Introduced a new Information Disclosure API error flag to improve coverage of common security issues.
• Added direct links to documentation pages within the Flag Checker component for faster access to reference material.
• Enhanced project visibility with Repography integration in the README and a Writeups link in the site footer.

Bug Fixes

• Fixed missing export of the User type from client-auth, restoring proper type availability for downstream consumers.

Maintenance / Chore

• Added a new ROADMAP.md and updated README.md and CONTRIBUTING.md to better document project direction and contribution guidelines.

v1.7.0

What's New

• Added SQL injection flag
• Added special styling when all flags are found

Bug Fixes

• Fixed CLI publish workflow to allow the same version to be published

Improvements

• Introduced useAuth hook and centralized authentication utilities to reduce duplication across components

Maintenance / Chore

• Centralized shared types in lib/types for better type management
• Refactored API layer with a centralized API client (lib/api.ts) and typed methods
• Reorganized authentication files: lib/auth.ts → lib/server-auth.ts (server-side) and lib/utils/auth.ts → lib/client-auth.ts (client-side)
• Centralized base URL configuration
• Extracted getDatabaseUrl to a shared module
• Removed unused lib/vulnerabilities.ts
• Fixed typo in CSRF flag documentation

v1.6.0

What's New

New SSRF Flag

A new SSRF flag is now available, expanding the list of supported vulnerabilities and attack scenarios.

Generic Flag Component

Flags are now displayed through a generic component. This makes the UI more consistent and makes it easier to add new flag types in the future.

Improvements

Better Flag Validation Feedback

The flag validation button now includes a small animation. It’s a minor change, but it makes the validation flow feel more responsive and clearer for users.

Showcase UX Tweaks

Quick start commands have been moved to the top of the hero section so new users can get started faster without scrolling.

Docs Cleanup

Setup instructions on the showcase website were updated and clarified.
The README now includes an npm badge and reflects the latest npm package version.

V1.5.0

What's New

npx CLI for Quick Setup

You can now set up OSS – OopsSec Store with a single command:

npx create-oss-store my-ctf-lab
cd my-ctf-lab
npm run dev

The CLI automatically clones the repository, configures the environment, installs dependencies, and seeds the database with CTF flags.

Improvements

• Showcase site: Fixed responsive behavior of the navigation menu
• README: Added GitHub shields (license, release, stars) and improved SEO
• Git hygiene: Removed .env from version control (auto-generated by setup script)

New Files

• packages/create-oss-store/ - CLI package published on npm
• .github/workflows/publish-cli.yml - Auto-publish CLI on new releases

Expanded Vulnerability Surface: Mass Assignment and Path Traversal

v1.4.0

This release expands the security training surface of OSS OopsSec Store by introducing new exploitable vulnerabilities, each leading to a dedicated flag.

Added

• Mass assignment/Parameter Pollution flag

  • Introduces a Mass Assignment/Parameter Pollution vulnerability.
  • Allows attackers to modify fields that should not be user-controllable.

• Path traversal flag

  • Adds a Path Traversal vulnerability.
  • Allows attackers to access files outside the intended directory by using path traversal sequences like ../ to navigate to sensitive system files or application files

Changed

• For a better UX, the CSR (client-side) price manipulation flag is passed as a URL parameter so it can be displayed on the order confirmation page.

Notes

All vulnerabilities are intentionally introduced for educational purposes and must never be used in production environments.

Expanded Vulnerability Surface: IDOR, XSS, and CSRF Flags

v1.3.0

This release expands the security training surface of OSS OopsSec Store by introducing new exploitable vulnerabilities, each leading to a dedicated flag.

Added

• IDOR flag

  • Introduces an Insecure Direct Object Reference vulnerability.
  • Allows attackers to access unauthorized resources by manipulating identifiers.

• XSS flag

  • Adds a Cross-Site Scripting vulnerability.
  • Demonstrates client-side code injection and its potential impact.

• CSRF flag

  • Introduces a Cross-Site Request Forgery vulnerability.
  • Highlights the risks of missing or misconfigured CSRF protections.

Changed

• Removed an useless MD5 reference from the news page.

Notes

All vulnerabilities are intentionally introduced for educational purposes and must never be used in production environments.