Duck Store is Open for Business (And Vulnerabilities!)

What is the purpose of rubber ducks, you might ask yourself?

Apart from being a (potentially) fun companion to your singing in the shower, they can now teach you how to break the app.

Yep, you read that right.

Your humble rubber duckie is no longer just an innocent bathroom buddy; it’s your new partner in cybersecurity crime.

We know who could have expected it, right?

But here we are. Escape’s Duck Store is live, and it’s packed with vulnerabilities that you can explore and break until your heart’s full!

What can you expect?

We’ve definitely got something quaking awesome: you’ll be able to explore everything from the web interface to the API to the MCP server and discover the kinds of vulnerabilities you’ll actually see in real-world apps.

We focused not on quantity for now, but on the real-world use cases we’ve seen most often in the wild.

The ducks are waiting for you

Frameworks & Technologies: Duck Store is built with React for the user interface and Fast API backend, an emerging framework for the modern web development.

Here’s a taste of what’s waiting for you:

Business Logic Flaws: From coupon system vulnerabilities to negative quantities in the cart, Duck Store offers multiple ways to exploit logic flaws and bypass restrictions, just like a real-world attacker would.
Insecure Direct Object References (IDOR): Test your skills by exploiting flaws in the way user orders and data are accessed without proper authorization checks.
Cross-Site Scripting (XSS): Uncover reflected and stored XSS vulnerabilities across multiple parts of the app, including the delete account and testimonials sections.
SQL Injection (Sandboxed): This vulnerability lets you manipulate database queries, but with some protective sandboxing—so you’ll be able to test SQLi techniques without causing actual damage.
Server-Side Request Forgery (SSRF): Exploit internal services by sending unauthorized requests to private endpoints via vulnerable image upload and link preview features.
JWT Algorithm Confusion: A fun challenge to exploit JWT authentication flaws and potentially bypass security mechanisms to access admin functionality.

And here’s the fun part: we’re not giving you instructions on how to find the vulnerabilities. You’re the one who gets to find them all!

The full list is available here: duck-store.escape.tech/vulnerabilities

What will you get in return?

Well, apart from gaining hands-on experience with discovering a wide range of vulnerabilities — from classic issues like SQL injection to more advanced flaws such as BOLA (Broken Object Level Authorization), you’ll earn a rubber duckie certificate!

Just look at the love from all our customers

And if you’re the first to discover all the vulnerabilities and send us a public write-up, you’ll win Escape swag AND a special cyber rubber duckie with a personal note from us.

This duck has already crossed the waters and is waiting for you

Naturally, you can also put any scanner to the test to find all the slippery vulnerabilities those rubber duckies are hiding.

We’ve tested it ourselves with the Escape scanner, and since every person on our R&D team has their own hacker duckie, the app didn’t stand a chance!

OK, we can give you a hint for one vulnerability

We’ll be gradually updating the vulnerabilities starting in 2026!

Ready, set, DUCK IT!

And remember, if life gives you a ~~bathtub~~ pentesting environment, bring a rubber duck.