Awesome
<h1 align="center">Damn Vulnerable Bank</h1> <p align="center"> <a href="https://github.com/rewanthtammana/Damn-Vulnerable-Bank/fork"> <img src="https://img.shields.io/github/forks/rewanthtammana/Damn-Vulnerable-Bank"> </a> <a href="https://github.com/rewanthtammana/Damn-Vulnerable-Bank/stargazers"> <img src="https://img.shields.io/github/stars/rewanthtammana/Damn-Vulnerable-Bank"> </a> <a href="https://github.com/rewanthtammana/Damn-Vulnerable-Bank/blob/master/LICENSE"> <img src="https://img.shields.io/github/license/rewanthtammana/Damn-Vulnerable-Bank"> </a> <a href="https://twitter.com/intent/tweet?text=Damn%20Vulnerable%20Bank%20Guide:&url=https%3A%2F%2Fgithub.com%2Frewanthtammana%2FDamn-Vulnerable-Bank"> <img src="https://img.shields.io/twitter/url?url=https%3A%2F%2Fgithub.com%2Frewanthtammana%2FDamn-Vulnerable-Bank"> </a> </p> <p align="center"> <b>Guide: https://rewanthtammana.com/damn-vulnerable-bank/</b> </p>About application
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. All the details are documented in the guide, here.
<!-- <img src="https://github.com/rewanthtammana/Damn-Vulnerable-Bank/blob/master/images/screen1.jpg" align="centre" height="600" width="395"><img src="https://github.com/rewanthtammana/Damn-Vulnerable-Bank/blob/master/images/screen2.jpg" align="centre" height="600" width="395"> -->Upcoming Sessions
NoNameCon
Black Hat Europe
Features
- Sign up
- Login
- My profile interface
- Change password
- Settings interface to update backend URL
- Add fingerprint check before transferring/viewing funds
- Add pin check before transferring/viewing funds
- View balance
- Transfer money
- Via manual entry
- Via QR scan
- Add beneficiary
- Delete beneficiary
- View beneficiary
- View transactions history
- Download transactions history
List of vulnerabilities in the application
To keep things crisp and interesting, we hidden this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities and then cross check your findings with this list.
<details> <summary>Spoiler Alert</summary>- Root and emulator detection
- Anti-debugging checks (prevents hooking with frida, jdb, etc)
- SSL pinning - pin the certificate/public key
- Obfuscate the entire code
- Encrypt all requests and responses
- Hardcoded sensitive information
- Logcat leakage
- Insecure storage (saved credit card numbers maybe)
- Exported activities
- JWT token
- Webview integration
- Deep links
- IDOR
Backend to-do
- Add profile and change-password routes
- Create different secrets for admin and other users
- Add dynamic generation of secrets to verify JWT tokens
- Introduce bug in jwt verification
- Find a way to store database and mount it while using docker
- Dockerize environment
Core Team
Damn Vulnerable Bank was created by
Rewanth Tammana (Rest API) | Github | |
Akshansh Jaiswal (Android App) | Github | |
Hrushikesh Kakade (Android App) | Github |
Read more, here.