CodeLevels
  • Projects
    • All projects
    • Becoming a web developer!
    • Building mini-apps
    • Full-Stack DIY services
    • Web Security
    • Desktop apps
    • Growing into AI apps
    • ML and data science
    • Production-grade apps
    • Developer Tools
    • Dive Deeper into JavaScript
    • Mobile apps
  • Desktop App
  • Account

Duck store: intentionally vulnerable website!

Project #2 of 5 in "Web Security" progression
Duck store: intentionally vulnerable website! thumbnail

Updated: Feb 23, 2026

In this project

Wanna become the best cyber guardian of all time? Meet Duck Store - website you need to hack. 

Surprised? Well, at the beginning of their careers, most white hat specialist were hackers first. And you will be too.   


Lessons

  1. #1.Meet Duck Store: intentionally vulnerable website #1
  2. #2.Full vulnerabilities list #2
  3. #3.Scan the website tech stack using Wappalyzer #3
  4. #4.Business logic flow: negative items quantity #4
  5. #5.100% off coupons: Coupon Information Disclosure #5
  6. #6.Shipping Cost Bypass: level 1 #6
  7. #7.Shipping Cost Bypass: level 2 #7
  8. #8.Referral Code Abuse: account farming #8
  9. #9.A mental model of XSS attack #9
  10. #10.Setting up an XSS mine in testimonials #10
  11. #11.This shouldn't work: IDOR in testimonials #11
  12. #12.I gol all of your users: user enumeration #12
  13. #13.Sniffing user data: User Enumeration + IDOR chain #13
  14. #14.IDOR in orders: see placed orders you don't own #14
  15. #15.Uplifting user priviledges with mass Assignment #15
  16. #16.How SQL injections work: playground #16
  17. #17.Tricky SQL injection using sqlmap #17
  18. #18.Brute Force attack with No Rate Limiting: weak admin credentials #18
  19. #19.JWT alg:none - becoming the admin of the website #19
  20. #20.getendpoints: javascript bookmarklet injection #20
  21. #21.SSRF: Link Preview #21
  22. #22.SSRF: Image Import #22
  23. #23.Open Redirect #23
  24. #24.2FA Bypass #24
Duck store: intentionally vulnerable website!