{"id":26103154,"url":"https://github.com/Commando-X/vuln-bank","last_synced_at":"2025-03-09T20:02:18.707Z","repository":{"id":276892242,"uuid":"930540687","full_name":"Commando-X/vuln-bank","owner":"Commando-X","description":"A deliberately vulnerable banking application designed for practicing secure code reviews and API security testing. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn security testing and secure coding practices in a safe environment.","archived":false,"fork":false,"pushed_at":"2025-03-01T05:06:30.000Z","size":119,"stargazers_count":90,"open_issues_count":0,"forks_count":17,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-01T06:18:45.423Z","etag":null,"topics":["application-security","devsecops","penetration-testing","secure-coding"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Commando-X.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-10T19:53:33.000Z","updated_at":"2025-03-01T05:06:34.000Z","dependencies_parsed_at":null,"dependency_job_id":"106641ea-590c-472d-af27-b7d91f740f82","html_url":"https://github.com/Commando-X/vuln-bank","commit_stats":null,"previous_names":["commando-x/vuln-bank"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Commando-X%2Fvuln-bank","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Commando-X%2Fvuln-bank/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Commando-X%2Fvuln-bank/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Commando-X%2Fvuln-bank/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Commando-X","download_url":"https://codeload.github.com/Commando-X/vuln-bank/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":242744102,"owners_count":20178174,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","devsecops","penetration-testing","secure-coding"],"created_at":"2025-03-09T20:02:16.423Z","updated_at":"2025-03-09T20:02:18.671Z","avatar_url":"https://github.com/Commando-X.png","language":"HTML","funding_links":[],"categories":["HTML","Python"],"sub_categories":[],"readme":"# Vulnerable Bank Application šŸ¦\n\nA deliberately vulnerable web application for practicing application security testing, secure code review and implementing security in CI/CD pipelines.\n\nāš ļø **WARNING: This application is intentionally vulnerable and should only be used for educational purposes in isolated environments.**\n\n## Overview\n\nThis project is a simple banking application with multiple security vulnerabilities built in. It's designed to help security engineers, developers, interns, QA analyst and DevSecOps practitioners learn about:\n- Common web application and API vulnerabilities\n- Secure coding practices\n- Security testing automation\n- DevSecOps implementation\n\n## Features \u0026 Vulnerabilities\n\n### Core Banking Features\n- šŸ” User Authentication \u0026 Authorization\n- šŸ’° Account Balance Management\n- šŸ’ø Money Transfers\n- šŸ“ Loan Requests\n- šŸ‘¤ Profile Picture Upload\n- šŸ“Š Transaction History\n- šŸ”‘ Password Reset System (3-digit PIN)\n- šŸ’³ Virtual Cards Management\n- šŸ“± Bill Payments System\n\n### Implemented Vulnerabilities\n\n1. **Authentication \u0026 Authorization**\n - SQL Injection in login\n - Weak JWT implementation\n - Broken object level authorization (BOLA)\n - Broken object property level authorization (BOPLA)\n - Mass Assignment \u0026 Excessive Data Exposure\n - Weak password reset mechanism (3-digit PIN)\n - Token stored in localStorage\n - No server-side token invalidation\n - No session expiration\n\n2. **Data Security**\n - Information disclosure\n - Sensitive data exposure\n - Plaintext password storage\n - SQL injection points\n - Debug information exposure\n - Detailed error messages exposed\n\n3. **Transaction Vulnerabilities**\n - No amount validation\n - Negative amount transfers possible\n - No transaction limits\n - Race conditions in transfers and balance updates\n - Transaction history information disclosure\n - No validation on recipient accounts\n\n4. **File Operations**\n - Unrestricted file upload\n - Path traversal vulnerabilities\n - No file type validation\n - Directory traversal\n - No file size limits\n - Unsafe file naming\n\n5. **Session Management**\n - Token vulnerabilities\n - No session expiration\n - Weak secret keys\n - Token exposure in URLs\n\n6. **Client and Server-Side Flaws**\n - Cross Site Scripting (XSS)\n - Cross Site Request Forgery (CSRF)\n - Insecure direct object references\n - No rate limiting\n\n7. **Virtual Card Vulnerabilities**\n - Mass Assignment in card limit updates\n - Predictable card number generation\n - Plaintext storage of card details\n - No validation on card limits\n - BOLA in card operations\n - Race conditions in balance updates\n - Card detail information disclosure\n - No transaction verification\n - Lack of card activity monitoring\n\n8. **Bill Payment Vulnerabilities**\n - No validation on payment amounts\n - SQL injection in biller queries\n - Information disclosure in payment history\n - Predictable reference numbers\n - Transaction history exposure\n - No validation on biller accounts\n - Race conditions in payment processing\n - BOLA in payment history access\n - Missing payment limits\n\n## Installation \u0026 Setup šŸš€\n\n### Prerequisites\n- Docker and Docker Compose (for containerized setup)\n- PostgreSQL (if running locally)\n- Python 3.9 or higher (for local setup)\n- Git\n\n### Option 1: Using Docker (Recommended)\n\n#### Using Docker Compose (Easiest)\n1. Clone the repository:\n```bash\ngit clone https://github.com/Commando-X/vuln-bank.git\ncd vuln-bank\n```\n\n2. Start the application:\n```bash\ndocker-compose up --build\n```\n\nThe application will be available at `http://localhost:5000`\n\n#### Using Docker Only\n1. Clone the repository:\n```bash\ngit clone https://github.com/Commando-X/vuln-bank.git\ncd vuln-bank\n```\n\n2. Build the Docker image:\n```bash\ndocker build -t vuln-bank .\n```\n\n3. Run the container:\n```bash\ndocker run -p 5000:5000 vuln-bank\n```\n\n### Option 2: Local Installation\n\n#### Prerequisites\n- Python 3.9 or higher\n- PostgreSQL installed and running\n- pip (Python package manager)\n- Git\n\n#### Steps\n1. Clone the repository:\n```bash\ngit clone https://github.com/Commando-X/vuln-bank.git\ncd vuln-bank\n```\n\n2. Create and activate a virtual environment (recommended):\n```bash\n# On Windows\npython -m venv venv\nvenv\\Scripts\\activate\n\n# On Linux/Mac\npython3 -m venv venv\nsource venv/bin/activate\n```\n\n3. Install required packages:\n```bash\npip install -r requirements.txt\n```\n\n4. Create necessary directories:\n```bash\n# On Windows\nmkdir static\\uploads\n\n# On Linux/Mac\nmkdir -p static/uploads\n```\n\n5. Modify the .env file:\n - Open .env and change DB_HOST from 'db' to 'localhost' for local PostgreSQL connection\n\n6. Run the application:\n```bash\n# On Windows\npython app.py\n\n# On Linux/Mac\npython3 app.py\n```\n\n### Environment Variables\nThe `.env` file is intentionally included in this repository to facilitate easy setup for educational purposes. In a real-world application, you should never commit `.env` files to version control.\n\nCurrent environment variables:\n```bash\nDB_NAME=vulnerable_bank\nDB_USER=postgres\nDB_PASSWORD=postgres\nDB_HOST=db # Change to 'localhost' for local installation\nDB_PORT=5432\n```\n\n### Database Setup\nThe application uses PostgreSQL. The database will be automatically initialized when you first run the application, creating:\n- Users table\n- Transactions table\n- Loans table\n\n### Accessing the Application\n- Main application: `http://localhost:5000`\n- API documentation: `http://localhost:5000/api/docs`\n\n### Common Issues \u0026 Solutions\n\n#### Windows\n1. If you get \"python not found\":\n - Ensure Python is added to your system PATH\n - Try using `py` instead of `python`\n\n2. Permission issues with uploads folder:\n - Run command prompt as administrator\n - Ensure you have write permissions in the project directory\n\n#### Linux/Mac\n1. Permission denied when creating directories:\n ```bash\n sudo mkdir -p static/uploads\n sudo chown -R $USER:$USER static/uploads\n ```\n\n2. Port 5000 already in use:\n ```bash\n # Kill process using port 5000\n sudo lsof -i:5000\n sudo kill \u003cPID\u003e\n ```\n\n#### PostgreSQL Issues\n1. Connection refused:\n - Ensure PostgreSQL is running\n - Check credentials in .env file\n - Verify PostgreSQL port is not blocked\n\n## Testing Guide šŸŽÆ\n\n### Authentication Testing\n1. SQL Injection in login\n2. Weak password reset (bruteforce 3-digit PIN)\n3. JWT token manipulation\n4. Username enumeration\n5. Token storage vulnerabilities\n\n### Authorization Testing\n1. Access other users' transaction history via account number\n2. Upload malicious files\n3. Access admin panel\n4. Manipulate JWT claims\n5. Exploit BOPLA (Excessive Data Exposure and Mass Assignment)\n6. Privilege escalation through registration\n\n### Transaction Testing\n1. Attempt negative amount transfers\n2. Race conditions in transfers\n3. Transaction history access\n4. Balance manipulation\n\n### File Upload Testing\n1. Upload unauthorized file types\n2. Attempt path traversal\n3. Upload oversized files\n4. Test file overwrite scenarios\n5. File type bypass\n\n### API Security Testing\n1. Token manipulation\n2. BOLA/BOPLA in API endpoints\n3. Information disclosure\n4. Error message analysis\n\n### Virtual Card Testing\n\n1. Exploit mass assignment in card limit updates\n2. Analyze card number generation patterns\n3. Access unauthorized card details\n4. Test card freezing bypasses\n5. Transaction history manipulation\n6. Card limit validation bypass\n\n### Bill Payment Testing\n\n1. Test biller enumeration\n2. Payment amount validation bypass\n3. Access unauthorized payment history\n4. SQL injection in biller selection\n5. Reference number prediction\n6. Race condition exploitation in payments\n\n## Contributing šŸ¤\n\nContributions are welcome! Feel free to:\n- Add new vulnerabilities\n- Improve existing features\n- Document testing scenarios\n- Enhance documentation\n- Fix bugs (that aren't intentional vulnerabilities)\n\n## Disclaimer āš ļø\n\nThis application contains intentional security vulnerabilities for educational purposes. DO NOT:\n- Deploy in production\n- Use with real personal data\n- Run on public networks\n- Use for malicious purposes\n- Store sensitive information\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details.\n\n---\nMade with ā¤ļø for Security Education","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCommando-X%2Fvuln-bank","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCommando-X%2Fvuln-bank","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCommando-X%2Fvuln-bank/lists"}