All Projects → rewanthtammana → Damn-Vulnerable-Bank

rewanthtammana / Damn-Vulnerable-Bank

Licence: MIT license
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. This provides an interface to assess your android application security hacking skills.

Programming Languages

java
68154 projects - #9 most used programming language
javascript
184084 projects - #8 most used programming language
c
50402 projects - #5 most used programming language
HTML
75241 projects
Makefile
30231 projects
Dockerfile
14818 projects
CMake
9771 projects

Projects that are alternatives of or similar to Damn-Vulnerable-Bank

Android Reports And Resources
A big list of Android Hackerone disclosed reports and other resources.
Stars: ✭ 590 (+55.67%)
Mutual labels:  infosec, android-security
Application Security Engineer Interview Questions
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer
Stars: ✭ 267 (-29.55%)
Mutual labels:  infosec, application-security
Evabs
An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners.
Stars: ✭ 173 (-54.35%)
Mutual labels:  application-security, android-security
Resources-for-Application-Security
Some good resources for getting started with application security
Stars: ✭ 97 (-74.41%)
Mutual labels:  infosec, application-security
vapi
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
Stars: ✭ 674 (+77.84%)
Mutual labels:  vulnerable-application
ggtfobins
Get GTFOBins info about a given exploit from the command line
Stars: ✭ 27 (-92.88%)
Mutual labels:  infosec
volana
🌒 Shell command obfuscation to avoid detection systems
Stars: ✭ 38 (-89.97%)
Mutual labels:  infosec
DDTTX
DDTTX Tabletop Trainings
Stars: ✭ 22 (-94.2%)
Mutual labels:  infosec
maalik
Feature-rich Post Exploitation Framework with Network Pivoting capabilities.
Stars: ✭ 75 (-80.21%)
Mutual labels:  infosec
gwdomains
sub domain wild card filtering tool
Stars: ✭ 38 (-89.97%)
Mutual labels:  infosec
oscp-omnibus
A collection of resources I'm using while working toward the OSCP
Stars: ✭ 46 (-87.86%)
Mutual labels:  infosec
aa-policy-validator
Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation
Stars: ✭ 42 (-88.92%)
Mutual labels:  infosec
AutonomousThreatSweep
Threat Hunting queries for various attacks
Stars: ✭ 70 (-81.53%)
Mutual labels:  infosec
juumla
🦁 Juumla is a python tool created to identify Joomla version, scan for vulnerabilities and search for config or backup files.
Stars: ✭ 107 (-71.77%)
Mutual labels:  infosec
diwa
A Deliberately Insecure Web Application
Stars: ✭ 32 (-91.56%)
Mutual labels:  infosec
training-materials
No description or website provided.
Stars: ✭ 47 (-87.6%)
Mutual labels:  infosec
sec-scannode
SEC分布式资产扫描系统
Stars: ✭ 8 (-97.89%)
Mutual labels:  infosec
mobileAudit
Django application that performs SAST and Malware Analysis for Android APKs
Stars: ✭ 140 (-63.06%)
Mutual labels:  android-security
Subcert
Subcert is an subdomain enumeration tool, that finds all the subdomains from certificate transparency logs.
Stars: ✭ 58 (-84.7%)
Mutual labels:  infosec
sandboxed-fs
Sandboxed Wrapper for Node.js File System API
Stars: ✭ 41 (-89.18%)
Mutual labels:  application-security

Damn Vulnerable Bank

Guide: https://rewanthtammana.com/damn-vulnerable-bank/

About application

Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. All the details are documented in the guide, here.

Guide overview

Upcoming Sessions

NoNameCon

Black Hat Europe

Features

  • Sign up
  • Login
  • My profile interface
  • Change password
  • Settings interface to update backend URL
  • Add fingerprint check before transferring/viewing funds
  • Add pin check before transferring/viewing funds
  • View balance
  • Transfer money
    • Via manual entry
    • Via QR scan
  • Add beneficiary
  • Delete beneficiary
  • View beneficiary
  • View transactions history
  • Download transactions history

List of vulnerabilities in the application

To keep things crisp and interesting, we hidden this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities and then cross check your findings with this list.

Spoiler Alert
  • Root and emulator detection
  • Anti-debugging checks (prevents hooking with frida, jdb, etc)
  • SSL pinning - pin the certificate/public key
  • Obfuscate the entire code
  • Encrypt all requests and responses
  • Hardcoded sensitive information
  • Logcat leakage
  • Insecure storage (saved credit card numbers maybe)
  • Exported activities
  • JWT token
  • Webview integration
  • Deep links
  • IDOR

Backend to-do

  • Add profile and change-password routes
  • Create different secrets for admin and other users
  • Add dynamic generation of secrets to verify JWT tokens
  • Introduce bug in jwt verification
  • Find a way to store database and mount it while using docker
  • Dockerize environment

Core Team

Damn Vulnerable Bank was created by

Rewanth Tammana (Rest API) Github LinkedIn
Akshansh Jaiswal (Android App) Github LinkedIn
Hrushikesh Kakade (Android App) Github LinkedIn

Read more, here.

Contributors

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].