A deliberately vulnerable web application for practicing application security testing, secure code review and implementing security in CI/CD pipelines.
This project is a simple banking application with multiple security vulnerabilities built in. It's designed to help security engineers, developers, interns, QA analyst and DevSecOps practitioners learn about:
- Common web application vulnerabilities
- Security testing automation
- Secure coding practices
- DevSecOps implementation
- 🔐 User Authentication & Authorization
- 💰 Account Balance Management
- 💸 Money Transfers
- 📝 Loan Requests
- 👤 Profile Picture Upload
- 📊 Transaction History
- 🔑 Password Reset System (3-digit PIN)
-
Authentication & Authorization
- SQL Injection in login
- Weak JWT implementation
- Broken object level authorization (BOLA)
- Weak password reset mechanism (3-digit PIN)
-
Data Security
- Information disclosure
- Sensitive data exposure
- Plaintext password storage
- SQL injection points
-
File Operations
- Unrestricted file upload
- Path traversal vulnerabilities
- No file type validation
- Directory traversal
-
Session Management
- Token vulnerabilities
- No session expiration
- Weak secret keys
- Docker installed
- Clone the repository:
git clone https://github.com/Commando-X/vuln-bank.git
cd vuln-bank- Build the Docker image:
docker build -t vuln-bank .- Run the container:
docker run -p 5000:5000 vuln-bank- Python 3.9 or higher
- pip (Python package manager)
- Git
- Clone the repository:
git clone https://github.com/Commando-X/vuln-bank.git
cd vuln-bank- Create and activate a virtual environment (recommended):
# On Windows
python -m venv venv
venv\Scripts\activate
# On Linux/Mac
python3 -m venv venv
source venv/bin/activate- Install required packages:
pip install -r requirements.txt- Create necessary directories:
# On Windows
mkdir static\uploads
# On Linux/Mac
mkdir -p static/uploads- Run the application:
# On Windows
python app.py
# On Linux/Mac
python3 app.pyOnce running, access the application at:
http://localhost:5000
- Admin Account:
- Username: admin
- Password: admin123
-
If you get "python not found":
- Ensure Python is added to your system PATH
- Try using
pyinstead ofpython
-
Permission issues with uploads folder:
- Run command prompt as administrator
- Ensure you have write permissions in the project directory
-
Permission denied when creating directories:
sudo mkdir -p static/uploads sudo chown -R $USER:$USER static/uploads
-
Port 5000 already in use:
# Kill process using port 5000 sudo lsof -i:5000 sudo kill <PID>
- SQL Injection in login
- Weak password reset (bruteforce 3-digit PIN)
- JWT token manipulation
- Username enumeration
- Access other users' transaction history via account number
- Upload malicious files
- Access admin panel
- Manipulate JWT claims
- Upload unauthorized file types
- Attempt path traversal
- Upload oversized files
- Test file overwrite scenarios
Contributions are welcome! Feel free to:
- Add new vulnerabilities
- Improve existing features
- Add security testing tools
- Enhance documentation
- Fix bugs
This application contains intentional security vulnerabilities for educational purposes. DO NOT:
- Deploy in production
- Use with real personal data
- Run on public networks
- Use for malicious purposes
Made with ❤️ for Security Education