FastPay is a deliberately vulnerable payment gateway integration simulation app. It mimics a real-world checkout system using Stripe for payment processing — with intentional flaws for you to discover and exploit.
Inspired by vulnerabilities identified in real-world applications, FastPay provides a controlled environment to help you discover, analyze, and exploit security flaws commonly found in actual payment gateway integrations.
It features realistic user flows such as adding balance to a wallet, purchasing clothes, booking movie tickets (with tickets delivered via email), and ordering food online.
 |
 |
 |
 |
 |
 |
Create a free Stripe account and grab your test API keys here:
👉 https://dashboard.stripe.com/test/apikeys
Then, add the following to your .env file:
STRIPE_SECRET_KEY=sk_test_**************
STRIPE_PUBLISHABLE_KEY=pk_test_**************
This app is preconfigured to use a free test SMTP service:
👉 https://www.wpoven.com/tools/free-smtp-server-for-testing
No signup needed — just use any email ID when registering.
echo '127.0.0.1 fastpay.com' | sudo tee -a /etc/hostsThen access the app at: http://fastpay.com
Card Number: 4000 0035 6000 0008
Expiry Date: Any future date
CVV: Any 3-digit number
More test cards 👉 https://docs.stripe.com/testing?testing-method=card-numbers#India
git clone https://github.com/tauh33dkhan/FastPay.git
cd FastPaynpm installStripe sends webhook notifications when payments are completed. You’ll need to listen and forward them to your app:
npm install --save stripe
stripe login
stripe listen --forward-to localhost/webhooknode server.jsNow visit: http://fastpay.com
Explore the system like a real attacker and discover all issues!
- Bug bounty hunters
- Security engineers
- CTF creators
- Payment security researchers
- Developers
Created by @tauh33dkhan
Built with ❤️ for the security community.