Help & about
sekumart is a deliberately vulnerable practice shop. Point your tools at it — it will not fight back (much).
Try the security level switch (top-right) to flip each page between vulnerable and fixed, then hit view source to see the exact code.
Injection playground includes: SQLi (product, category, search, login, cart coupon), XSS (search, reviews, JSONP api, DOM via #lang=), path traversal, open redirect, and CSRF (account/reviews).
Demo account: admin / password. Try language banner: #lang=friend.