«««< HEAD This project was created by Abi
It is a Next.js project built on React and TailwindCSS.
First, run the development server:
npm run dev
# or
yarn dev
# or
pnpm dev
# or
bun dev
Open http://localhost:3000 with your browser to see the result.
You can start editing the code in src. The page auto-updates as you edit the file.
To learn more, take a look at the following resources:
π SecureBank - Deliberately Vulnerable Banking Application π οΈ About SecureBank SecureBank is a deliberately vulnerable banking application designed for security researchers and ethical hackers to practice identifying and exploiting security flaws based on the OWASP Top 10 vulnerabilities.
This project serves as an educational tool to help learners understand real-world security vulnerabilities and their mitigation techniques.
β οΈ Disclaimer: This project is for educational purposes only. Do NOT use it in production environments. The vulnerabilities are intentionally included to facilitate learning.
π Features & Vulnerabilities SecureBank is intentionally designed with multiple security vulnerabilities, making it an ideal target for ethical hacking and penetration testing exercises. It includes:
β Weak Authentication Mechanism (Hardcoded credentials, weak password policy) β JWT Token Exploitation (Insecure storage, predictable token structure) β SQL Injection (SQLi) (Direct database queries without parameterization) β Cross-Site Scripting (XSS) (Unsanitized user input, stored & reflected XSS) β Sensitive Data Exposure (API key leakage, debug comments with secrets) β Broken Access Control (Users can perform unauthorized transactions) β Insufficient Security Logging (Limited security monitoring) β Lack of Security Headers (No CSP, HSTS, or other protection mechanisms) β Insecure Direct Object References (IDOR) (Users can access unauthorized data) β CSRF & Form Security Issues (No CSRF protection, rate limiting) π οΈ Installation & Setup Follow these steps to clone and set up SecureBank locally:
1οΈβ£ Clone the Repository git clone https://github.com/YOUR_GITHUB_USERNAME/SecureBank.git cd SecureBank 2οΈβ£ Install Dependencies npm install 3οΈβ£ Run the Application npm run dev 4οΈβ£ Access the App Open your browser and go to http://localhost:3000 π Vulnerability Breakdown & Exploitation Guide 1οΈβ£ Weak Authentication π Location: handleLogin function π Issue: Hardcoded credentials (admin/password123, test/test123)
π₯ Attack: Attempt logging in with known weak credentials. Brute-force other potential usernames and passwords. π Fix: β Enforce a strong password policy. β Use proper password hashing (bcrypt, Argon2). β Implement rate limiting & account lockout after multiple failed attempts.
2οΈβ£ SQL Injection (SQLi) π Location: handleTransfer function π Issue: Direct SQL query concatenation without parameterized queries
π₯ Attack: Inject SQL queries in the transfer input field: sql β OR 1=1 β Extract sensitive user data or manipulate transactions. π Fix: β Use prepared statements & parameterized queries. β Sanitize user inputs.
3οΈβ£ Cross-Site Scripting (XSS) π Location: Message Board (dangerouslySetInnerHTML) π Issue: Directly rendering user input without sanitization
π₯ Attack: Inject a malicious script into the message field: π Fix: β Implement HTML sanitization before rendering messages. β Use Content Security Policy (CSP) to prevent script execution.
4οΈβ£ Sensitive Data Exposure π Issue: API key exposed in front-end code π Example: sk_test_51ABCxyz (Stored in useState)
π₯ Attack: Extract API keys from the source code using browser dev tools. π Fix: β Move sensitive data to environment variables. β Never expose secrets in the front-end code.
5οΈβ£ Broken Access Control π Issue: No validation of user permissions before performing transactions
π₯ Attack: Modify transfer requests to send money from another userβs account. π Fix: β Implement role-based access control (RBAC). β Validate user permissions before executing any action.
6οΈβ£ Missing Security Headers π Issue: No CSP, HSTS, X-Frame-Options, etc.
π₯ Attack: Clickjacking, iframe injections, and XSS attacks. π Fix: β Add security headers in server configuration: Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: default-src βselfβ X-Frame-Options: DENY π Security Best Practices β Implement Multi-Factor Authentication (MFA) β Use bcrypt/Argon2 for password hashing β Implement OAuth2.0 / JWT best practices β Perform input validation & sanitization β Secure sensitive data with encryption (AES, RSA) β Add server-side logging & monitoring
π Deployment Hosting on Vercel/Netlify To deploy SecureBank on Vercel or Netlify, follow these steps:
1οΈβ£ Deploy on Vercel npm install -g vercel vercel login vercel 2οΈβ£ Deploy on Netlify npm install -g netlify-cli netlify login netlify deploy π΄ββ οΈ Ethical Hacking Tools to Use πΉ Burp Suite β To intercept & modify requests πΉ SQLMap β To test for SQL Injection πΉ OWASP ZAP β To scan for web vulnerabilities πΉ Metasploit β For penetration testing
π€ Contributing We welcome contributions! Feel free to:
Report issues π Submit pull requests π Suggest security improvements π β οΈ Disclaimer This project is intentionally insecure and should only be used for learning and testing purposes. Do NOT deploy this in a production environment. The authors are not responsible for any misuse of this code.
π License This project is licensed under the MIT License.
π‘ Want More Security Projects? Follow me on GitHub and LinkedIn for more security research and ethical hacking projects! π
ad44a5a41b324025d2252199ef807d58e515f57d