trungvt1108/web-test-vulnerability-for-pentest — reverse-engineered prompt

Build me a local training web app called NexTrade Corp Internal Portal for practicing pentesting in a safe Docker environment. I want it to feel like a normal company portal with a React frontend, FastAPI backend, PostgreSQL database, and Nginx proxy, all started with docker compose.

The app should have login with default admin credentials, product search and reviews, an HR area with employee profiles, document listing and downloads, profile picture upload, and an IT tools area with webhook testing, ping, and report generation.

Please intentionally include beginner friendly vulnerable spots for learning, including SQL injection, XSS, path traversal, command injection, IDOR on user profiles, SSRF, SSTI, and unsafe file upload. Add a simple flag file or flags that can be found by exploiting the challenges, but keep everything local and clearly for lab use only.

Make the UI clean with Tailwind, include API docs, seed sample data, and make sure everything runs from a fresh clone with one command.