🛒 sekumartdeals so good it should be illegal
USD EUR GBP 🏴 0/6 🛒 cart (0) login
security level: low medium high impossible

Attack index

Every intentional bug, where it lives, and its OWASP category. Flip the security level (top-right) to compare vulnerable vs fixed, hit view source on each page, and grab flags on the scoreboard.

vulnerabilitywhereOWASPlevel
SQLi — integer, GET/product.php?id=1A03 Injectioneasy
SQLi — category, GET/category.php?cat=1A03easy
SQLi — search LIKE, GET/search.php?q=mugA03easy
SQLi — ORDER BY/catalog.php?sort=nameA03medium
SQLi — blind boolean/time/track.php?order=SK-1001A03medium
SQLi — login auth bypass, POST/login.phpA03 / A07easy
SQLi — cookiethe curr currency cookieA03medium
SQLi — JSON body/apiv1.phpA03medium
SQLi — coupon, POST/cart.phpA03easy
XSS — reflected/search.php?q=A03easy
XSS — stored/reviews.phpA03easy
XSS — DOM-based/help.php#lang=A03medium
XSS — JSONP/api.php?callback=cbA03medium
Path traversal / LFI-read/image.php?file=A01 / A05medium
Open redirect/go.php?url=A01easy
CSRF/account.php, /reviews.phpA01medium
Broken access control/admin.phpA01medium
Insecure identity cookiethe auth cookieA07easy
Business logic — qty/price tampering/cart.phpA04medium

Bonus: this shop ships an OpenAPI spec — try sqlmap --openapi against it.