This project provides a deliberately vulnerable banking web application and API, designed for practicing application security testing, secure code reviews, and DevSecOps implementation. It targets security professionals, developers, and enthusiasts seeking hands-on experience with common web, API, and AI/LLM vulnerabilities.

How It Works

The application simulates core banking features like user authentication, account management, and money transfers, but intentionally incorporates a wide array of security flaws. These include SQL injection, broken authentication and authorization, insecure data handling, cross-site scripting (XSS), cross-site request forgery (CSRF), and various AI/LLM vulnerabilities like prompt injection and information disclosure. The architecture allows for both Dockerized and local Python installations, with an integrated AI customer support agent that can use a real LLM (DeepSeek API) or a mock mode.

Quick Start & Requirements

• Docker (Recommended):

  git clone https://github.com/Commando-X/vuln-bank.git
  cd vuln-bank
  docker-compose up --build
  

  Application available at http://localhost:5000.
• Local Installation:
  • Prerequisites: Python 3.9+, PostgreSQL, pip, Git.
  • Clone repo, create virtual environment, install dependencies (pip install -r requirements.txt), configure .env for local PostgreSQL, and run python app.py.
• AI Customer Support: Requires DeepSeek API key for full LLM functionality; otherwise, it defaults to mock mode.

Highlighted Details

• Implements vulnerabilities across authentication, authorization, data security, transactions, file operations, session management, virtual cards, bill payments, and AI customer support.
• Features AI/LLM vulnerabilities including Prompt Injection (CWE-77), AI-based Information Disclosure (CWE-200), and Broken Authorization in AI context (CWE-862).
• Includes detailed testing guides for various vulnerability classes and AI-specific attacks.
• Offers both authenticated and anonymous modes for the AI chat, highlighting context-dependent risks.

Maintenance & Community

Contributions are welcome for adding vulnerabilities, improving features, and enhancing documentation. Blog write-ups detailing findings and walkthroughs are linked in the README.

Licensing & Compatibility

Licensed under the MIT License, permitting commercial use and integration with closed-source projects.

Limitations & Caveats

This application is intentionally vulnerable and must only be used in isolated, educational environments. It should not be deployed in production, used with real data, or run on public networks. The project's focus is on demonstrating vulnerabilities, not on providing a production-ready secure application.