All Projects → WaTF-Team → Watf Bank

WaTF-Team / Watf Bank

Licence: mit
WaTF Bank - What a Terrible Failure Mobile Banking Application for Android and iOS

Programming Languages

c
50402 projects - #5 most used programming language

Projects that are alternatives of or similar to Watf Bank

Mobileapp Pentest Cheatsheet
The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.
Stars: ✭ 3,051 (+3406.9%)
Mutual labels:  mobile-app, pentesting
Evabs
An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners.
Stars: ✭ 173 (+98.85%)
Mutual labels:  mobile-app, pentesting
Livechart
Android library to draw beautiful and rich line charts.
Stars: ✭ 78 (-10.34%)
Mutual labels:  mobile-app
Thecollective
The Collective. A repo for a collection of red-team projects found mostly on Github.
Stars: ✭ 85 (-2.3%)
Mutual labels:  pentesting
Venom
Venom - A Multi-hop Proxy for Penetration Testers
Stars: ✭ 1,228 (+1311.49%)
Mutual labels:  pentesting
Ldap search
Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
Stars: ✭ 78 (-10.34%)
Mutual labels:  pentesting
Pentesting Cookbook
A set of recipes useful in pentesting and red teaming scenarios
Stars: ✭ 82 (-5.75%)
Mutual labels:  pentesting
Subjack
Subdomain Takeover tool written in Go
Stars: ✭ 1,194 (+1272.41%)
Mutual labels:  pentesting
Thoron
Thoron Framework is a Linux post-exploitation framework that exploits Linux TCP vulnerability to provide a shell-like connection. Thoron Framework has the ability to create simple payloads to provide Linux TCP attack.
Stars: ✭ 87 (+0%)
Mutual labels:  pentesting
Flutter News Reader
News Reader App to fetch Articles from different news channels using Flutter.
Stars: ✭ 80 (-8.05%)
Mutual labels:  mobile-app
Zynix Fusion
zynix-Fusion is a framework that aims to centralize, standardizeand simplify the use of various security tools for pentest professionals.zynix-Fusion (old name: Linux evil toolkit) has few simple commands, one of which is theinit function that allows you to define a target, and thus use all the toolswithout typing anything else.
Stars: ✭ 84 (-3.45%)
Mutual labels:  pentesting
Deathstar
Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
Stars: ✭ 1,221 (+1303.45%)
Mutual labels:  pentesting
Decoder Plus Plus
An extensible application for penetration testers and software developers to decode/encode data into various formats.
Stars: ✭ 79 (-9.2%)
Mutual labels:  pentesting
Cloudfail
Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network
Stars: ✭ 1,239 (+1324.14%)
Mutual labels:  pentesting
Githacktools
The best Hacking and PenTesting tools installer on the world
Stars: ✭ 78 (-10.34%)
Mutual labels:  pentesting
Pentesting toolkit
🏴‍☠️ Tools for pentesting, CTFs & wargames. 🏴‍☠️
Stars: ✭ 1,268 (+1357.47%)
Mutual labels:  pentesting
Rsf
The Robot Security Framework (RSF), Robot Security Framework (RSF), a standardized methodology to perform security assessments in robotics.
Stars: ✭ 76 (-12.64%)
Mutual labels:  pentesting
Cooking App Flutter
Example app build with Flutter
Stars: ✭ 79 (-9.2%)
Mutual labels:  mobile-app
Prismatica
Responsive Command and Control System
Stars: ✭ 81 (-6.9%)
Mutual labels:  pentesting
Blackrat
BlackRAT - Java Based Remote Administrator Tool
Stars: ✭ 87 (+0%)
Mutual labels:  pentesting
WaTF-Bank

License: MIT

Update iOS Swift!

What-a-Terrible-Failure Mobile Banking Application (WaTF-Bank), written in Java, Swift 4, Objective-C and Python (Flask framework) as a backend server, is designed to simulate a "real-world" web services-enabled mobile banking application that contains over 30 vulnerabilities.

The objective of this project:

  • Application developers, programmers and architects can understand and consider how to create secure software by investigating the vulnerable app (WaTF-Bank) on both Android and iOS platforms.
  • Penetration testers can practice security assessment skill in order to identify and understand the implication of the vulnerable app.

List of Vulnerabilities

OWASP Mobile Top 10 2016 Vulnerability Name
M1. Improper Platform Usage
  • Excessive App Permissions
  • Unsupported version of OS Installation Allowed
  • Unrestricted Backup File
  • Android Content provider Flaw
  • Android Broadcast receiver Flaw
  • Input Validation on API (SQL Injection, Negative value)
  • Information Exposure through API Response Message
  • Control of Interaction Frequency on API
M2. Insecure Data Storage
  • Insecure Application Local Storage
  • Insecure Keychain Usage
  • Unencrypted Database File
  • Sensitive Information on Application Backgrounding
  • Information Disclosure Through Device Logs
  • Copy/Paste Buffer Caching
  • Keyboard Input Caching
  • Lack of Sensitive Information Masking
M3. Insecure Communication
  • Insecure SSL Verification
M4. Insecure Authentication
  • Client-Side Based Authentication Flaw
  • Account Enumeration
  • Account Lockout Policy
  • Weak Password Policy for Password/PIN
  • Misuse of Biometric Authentication
  • Session Management Flaw
M5. Insufficient Cryptography
  • Hardcoded Encryption Key
  • Weak Cryptographic Algorithm
  • Custom Encryption Protocol
M6. Insecure Authorization
  • Insecure Direct Object Reference
  • Business Logic Flaw
M7 Client Code Quality
  • SQL Injection on Content provider
  • Insecure URL Scheme Handler
M8. Code Tampering
  • Unauthorized Code Modification (Application Patching)
  • Weak Root/Jailbreak Detection
  • Method Swizzling
M9. Reverse Engineering
  • Lack of Code Obfuscation
M10. Extraneous Functionality
  • Application Debuggable
  • Hidden Endpoint Exposure

Backend Server

Required Library

  • flask
  • flask_sqlalchemy
  • flask_script
  • flask_migrate

Easy installation through

pip3 install -r requirements.txt

Starting backend (The database will also be remigrated)

./StartServer

Project Team

  • Boonpoj Thongakaraniroj
  • Parameth Eimsongsak
  • Prathan Phongthiproek
  • Krit Saengkyongam

License

This project is using the MIT License.

Copyright (c) 2018 WaTF-Team

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].