An Intentionally Vulnerable Banking Application for Security Practice

This project is an intentionally vulnerable banking application designed for security engineers, developers, and QA analysts to practice secure code reviews and test their application security knowledge. It includes features like virtual cards, bill payments, API documentation, and a migration from SQLite to PgSQL. The application is beginner-friendly, with comprehensive code comments and a testing guide.

Practice Verified Codes and Commands

1. Clone the Repository:

git clone https://github.com/Commando-X/vuln-bank.git
cd vuln-bank

2. Set Up the Environment:

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

3. Run the Application:

python manage.py runserver

4. Test for SQL Injection:

sqlmap -u http://localhost:8000/api/v1/login --data "username=admin&password=admin" --risk=3 --level=5

5. Check for XSS Vulnerabilities:

nikto -h http://localhost:8000

6. Scan for Open Ports:

nmap -sV -p 1-65535 localhost

7. Test API Endpoints:

curl -X POST http://localhost:8000/api/v1/transfer -d '{"from_account": "12345", "to_account": "67890", "amount": 100}' -H "Content-Type: application/json"

8. Check for Misconfigured Headers:

curl -I http://localhost:8000

9. Run a Security Audit:

bandit -r .

10. Check for Dependency Vulnerabilities:

safety check

What Undercode Say

This intentionally vulnerable banking application is an excellent resource for anyone looking to improve their skills in secure code reviews and application security testing. The project includes a variety of vulnerabilities, making it a comprehensive tool for learning and practice. By working through the code and testing for vulnerabilities, users can gain hands-on experience with real-world security challenges.

The application’s features, such as virtual cards and bill payments, mimic real-world banking applications, providing a realistic environment for testing. The migration from SQLite to PgSQL adds another layer of complexity, allowing users to practice database security. The comprehensive code comments and testing guide make it easy for beginners to get started, while the variety of vulnerabilities ensures that even experienced security professionals will find it challenging.

In addition to the provided commands, users can explore other security tools and techniques, such as using Burp Suite for web application testing, OWASP ZAP for automated security scans, and Metasploit for penetration testing. The project also encourages users to explore Linux and Windows security commands, such as `iptables` for firewall configuration, `netstat` for network connections, and `tasklist` for process management.

Overall, this project is a valuable resource for anyone interested in application security. It provides a safe environment for learning and practice, with plenty of opportunities to explore different aspects of security testing. Whether you’re a beginner or an experienced professional, this project has something to offer.

For more information, visit the GitHub repository.

References:

Hackers Feeds, Undercode AI