Vulnshop is a deliberately vulnerable e-commerce web application designed for security researchers, students, and penetration testing practice. The application was generated with the assistance of Claude AI and built to simulate a modern online shopping platform with intentionally embedded security flaws for educational and training purposes.
The platform runs on Node.js 24 and has been tested on both Windows and Linux environments to ensure cross-platform compatibility. It includes typical e-commerce features such as user registration and login, product browsing, shopping cart functionality, order management, and an administrative dashboard.
Vulnshop contains 40+ intentionally introduced vulnerabilities spanning multiple categories of web application security. These include issues related to authentication, authorization, input validation, session management, deserialization, business logic, and API security. The application is designed with multiple attack paths, allowing learners to chain vulnerabilities together to simulate real-world exploitation scenarios.
THIS APPLICATION IS INTENTIONALLY INSECURE AND CONTAINS SERIOUS SECURITY VULNERABILITIES
- DO NOT deploy this application on public networks
- DO NOT use in production environments
- DO NOT store real user data
- ONLY use in isolated, controlled environments for security training
This application is designed exclusively for:
- Security training and education
- Penetration testing practice
- Vulnerability assessment learning
- Security awareness demonstrations
- Features
- Prerequisites
- Installation
- Running the Application
- Default Credentials
- API Documentation
- Learning Resources
- User registration and authentication
- Product browsing and search
- Shopping cart management
- Order placement and history
- Product reviews
- Wallet/credit system
- Profile management
- Two-factor authentication (OTP)
- Feedback submission with file uploads
- Credit management for users
- Log viewer
- SMTP configuration
- Server statistics
- Node.js (v24)
- npm or yarn
- SQLite3
cd vulnerable-ecommercecd backend
npm installnpm run init-dbYou should see:
β
Database initialized successfully!
π Sample data inserted
π Admin credentials: admin/admin
cd ../frontend
npm installcd backend
npm startThe API server will start on http://localhost:3001
Open a new terminal:
cd frontend
npm startThe application will open in your browser at http://localhost:3000
Admin Account:
- Username:
admin - Password:
admin
New Users:
- Register to create a new account
- Each new user receives $100 credit automatically
This application demonstrates vulnerabilities from the OWASP Top 10:
- A01:2021 β Broken Access Control: IDOR vulnerabilities
- A02:2021 β Cryptographic Failures: Weak password hashing (SHA1)
- A03:2021 β Injection: SQL Injection, Command Injection, XXE
- A04:2021 β Insecure Design: Business logic flaws
- A05:2021 β Security Misconfiguration: Directory listing, exposed files
- A06:2021 β Vulnerable Components: Intentionally outdated patterns
- A07:2021 β Identification and Authentication Failures: Multiple auth issues
- A08:2021 β Software and Data Integrity Failures: No CSRF protection
- A09:2021 β Security Logging and Monitoring Failures: Inadequate logging
- A10:2021 β Server-Side Request Forgery: XXE to SSRF
- Beginners: Start with IDOR and SQL Injection
- Intermediate: Move to XSS, Command Injection, and File Upload
- Advanced: Try XXE, SSRF chains, and business logic flaws
- OWASP Web Security Testing Guide
- PortSwigger Web Security Academy
- HackerOne Hacktivity (real vulnerability reports)
- Bug Bounty Platforms (HackerOne, Bugcrowd)
If you encounter database errors:
cd backend
rm -rf ../database/ecommerce.db
npm run init-dbIf ports 3000 or 3001 are in use:
- Backend: Edit
server.jsand change PORT variable - Frontend: Create
.envfile withPORT=3002
Make sure both backend and frontend are running on localhost. The backend has CORS enabled for all origins in development.
This software is provided for educational purposes only. The creators and contributors are not responsible for any misuse or damage caused by this application. Users must:
- Only use in controlled, isolated environments
- Not deploy on public networks
- Not store real user data
- Comply with all applicable laws and regulations
- Use only for authorized security testing
By using this application, you agree to these terms and understand the risks involved.
This is lab is currently created using various LLM models. Rewriting this code without ai slop, adding a few more vulnerabilities and dockerizing is on my Todo list someday. Posting walkthroughs videos and pdfs are highly encouraged.
This project is released under MIT License for educational purposes only.
Inspired by:
- bugbounty reports
- Juice Shop (OWASP)
Remember: This application is a learning tool. Always practice ethical hacking and responsible disclosure!