Guide: https://rewanthtammana.com/damn-vulnerable-bank/
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. All the details are documented in the guide, here.
- Sign up
- Login
- My profile interface
- Change password
- Settings interface to update backend URL
- Add fingerprint check before transferring/viewing funds
- Add pin check before transferring/viewing funds
- View balance
- Transfer money
- Via manual entry
- Via QR scan
- Add beneficiary
- Delete beneficiary
- View beneficiary
- View transactions history
- Download transactions history
To keep things crisp and interesting, we hidden this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities and then cross check your findings with this list.
Spoiler Alert
- Root and emulator detection
- Anti-debugging checks (prevents hooking with frida, jdb, etc)
- SSL pinning - pin the certificate/public key
- Obfuscate the entire code
- Encrypt all requests and responses
- Hardcoded sensitive information
- Logcat leakage
- Insecure storage (saved credit card numbers maybe)
- Exported activities
- JWT token
- Webview integration
- Deep links
- IDOR
- Add profile and change-password routes
- Create different secrets for admin and other users
- Add dynamic generation of secrets to verify JWT tokens
- Introduce bug in jwt verification
- Find a way to store database and mount it while using docker
- Dockerize environment
Damn Vulnerable Bank was created by
| Rewanth Tammana (Rest API) | Github | |
| Akshansh Jaiswal (Android App) | Github | |
| Hrushikesh Kakade (Android App) | Github |
Read more, here.
