Acme Market is a local-only ecommerce marketplace demo with realistic storefront, account, checkout, support, payment, OpenAPI, and admin evidence workflows.
The app intentionally contains standalone security issues plus a deeper support-to-refund attack chain. Scoring is not CTF-style: the backend records real evidence events when impact conditions are observed and tracks scenario progress across multiple connected steps.
docker compose up --buildOpen:
- App: http://localhost:8088
- OpenAPI docs: http://localhost:8088/api/docs
- OpenAPI JSON: http://localhost:8088/api/schema/openapi.json
- Payment mock: http://localhost:8091/health
| Role | Username | Password |
|---|---|---|
| Tester/customer | shopper or shopper@acmemarket.test |
shopperpass123 |
| Admin scoreboard | admin or admin@acmemarket.test |
adminpass123 |
The storefront login uses a local email/password/code flow. Codes are delivered to the local mailbox used by the app during sign-in.
Admin UI:
http://localhost:8088
CLI:
docker compose exec web python manage.py score_demo
docker compose exec web python manage.py score_demo --jsonDetailed maintainer scoring rules and expected evidence are documented in
docs/VULNERABILITY_AND_SCORING_GUIDE.md.
./scripts/reset_demo.shThis removes the Compose volumes, rebuilds the images, starts the stack, runs migrations, reseeds the demo data, and waits for the API health check.
In-place data reset without rebuilding:
docker compose exec web python manage.py reset_demo
docker compose exec web python manage.py seed_demo