Damn-Vulnerable-Bank - Vulnerable Banking Application For Android
2020-11-27 20:30:00 Author: www.blogger.com(查看原文) 阅读量:198 收藏

tag:blogger.com,1999:blog-8317222231133660547.post-41994666788039296212020-11-27T08:30:00.013-03:002020-11-27T08:30:11.626-03:00Damn-Vulnerable-Bank - Vulnerable Banking Application For Android<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-IjDaCUJ_k8A/X8Db3dUQiFI/AAAAAAAAUew/8Hywvt8W6pYu8q5jQi3JA9MoVGB2u7CMACNcBGAsYHQ/s2048/Damn-Vulnerable-Bank_1_screen1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1048" height="640" src="https://1.bp.blogspot.com/-IjDaCUJ_k8A/X8Db3dUQiFI/AAAAAAAAUew/8Hywvt8W6pYu8q5jQi3JA9MoVGB2u7CMACNcBGAsYHQ/w328-h640/Damn-Vulnerable-Bank_1_screen1.jpeg" width="328" /></a></div><p><br /></p><p>Damn <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="Vulnerable">Vulnerable</a> Bank <a href="https://www.kitploit.com/search/label/Android%20Application" target="_blank" title="Android Application">Android Application</a> aims to provide an interface for everyone to get a detailed understanding with internals and security aspects of android application.</p><span><a name='more'></a></span><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-RMupfO6CQno/X8Db9HQgo4I/AAAAAAAAUe0/xcbCc5QBGLklPd722cAVqgwnOBAnUpZ-gCNcBGAsYHQ/s2048/Damn-Vulnerable-Bank_2_screen2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1054" height="640" src="https://1.bp.blogspot.com/-RMupfO6CQno/X8Db9HQgo4I/AAAAAAAAUe0/xcbCc5QBGLklPd722cAVqgwnOBAnUpZ-gCNcBGAsYHQ/w330-h640/Damn-Vulnerable-Bank_2_screen2.jpeg" width="330" /></a></div><p><br /></p><span style="font-size: large;"><b>How to Use Application</b></span><br /> <ul> <li>Clone the repository and run the <a href="https://github.com/rewanth1997/Damn-Vulnerable-Bank/tree/master/BackendServer" rel="nofollow" target="_blank" title="Backend Server">Backend Server</a> as per instructions in the link.</li> <li>We have released the Apk so after downloading install it via adb or manual.</li> <li>After Installation open the App and add Backend IP in Homescreen</li> <li>Test running status by pressing health check</li> <li>Now create an account by signup option and then login with your credentials</li> <li>Now you can see the dashboard and perform banking operations</li> <li>Login as admin to approve beneficiary</li> <li>The database is pre-populated with a few users for quick exploration.</li> </ul> <table> <tr> <th>Username</th> <th>Password</th> <th>Account Number</th> <th>Beneficiaries</th> <th>Admin privileges</th> </tr> <tr> <td>user1</td> <td>password1</td> <td>111111</td> <td>222222, 333333, 444444</td> <td>No</td> </tr> <tr> <td>user2</td> <td>password2</td> <td>222222</td> <td>None</td> <td>No</td> </tr> <tr> <td>user3</td> <td>password3</td> <td>333333</td> <td>None</td> <td>No</td> </tr> <tr> <td>user4</td> <td>password4</td> <td>444444</td> <td>None</td> <td>No</td> </tr> <tr> <td>admin</td> <td>admin</td> <td>999999</td> <td>None</td> <td>Yes</td> </tr> </table> <br /><span style="font-size: large;"><b>Features</b></span><br /> <ul class="contains-task-list"> <li class="task-list-item">Sign up</li> <li class="task-list-item">Login</li> <li class="task-list-item">My profile interface</li> <li class="task-list-item">Change password</li> <li class="task-list-item">Settings interface to update backend URL</li> <li class="task-list-item">Add <a href="https://www.kitploit.com/search/label/Fingerprint" target="_blank" title="fingerprint">fingerprint</a> check before transferring/viewing funds</li> <li class="task-list-item">Add pin check before transferring/viewing funds</li> <li class="task-list-item">View balance</li> <li class="task-list-item">Transfer money <ul class="contains-task-list"> <li class="task-list-item">Via manual entry</li> <li class="task-list-item">Via QR scan</li> </ul> </li> <li class="task-list-item">Add beneficiary</li> <li class="task-list-item">Delete beneficiary</li> <li class="task-list-item">View beneficiary</li> <li class="task-list-item">View transactions history</li> <li class="task-list-item">Download transactions history</li> </ul> <br /><span style="font-size: large;"><b>Building the Apk with Obfuscation</b></span><br /> <ul> <li>Go to Build options and select Generate Signed Bundled/Apk</li> <li>Then select Apk as option and click next</li> <li>Now we need a keystore to sign an apk</li> <li>Create a new keystore and remember its password</li> <li>After creating select that keystore and enter password</li> <li>Now select Build variant as Release and signature version as V2</li> <li>Now we can build the apk successfully</li> </ul> <br /><span style="font-size: large;"><b>List of <a href="https://www.kitploit.com/search/label/vulnerabilities" target="_blank" title="vulnerabilities">vulnerabilities</a> in the application</b></span><br /> <p>To keep things crisp and interesting, we hidden this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities and then cross check your findings with this list.</p> <details> <summary>Spoiler Alert</summary> <ul class="contains-task-list"> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Root and emulator detection</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Anti-debugging checks (prevents hooking with frida, jdb, etc)</li> <li class="task-list-item"><input class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> SSL pinning - pin the certificate/public key</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Obfuscate the entire code</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Encrypt all requests and responses</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Hardcoded sensitive information</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Logcat leakage</li> <li class="task-list-item"><input class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Insecure storage (saved credit card numbers maybe)</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Exported activities</li> <li class="task-list-item"><input class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> JWT token</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Webview integration</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Deep links</li> <li class="task-list-item"><input class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> IDOR</li> </ul> </details> <br /><span style="font-size: large;"><b>Backend to-do</b></span><br /> <ul class="contains-task-list"> <li class="task-list-item">Add profile and change-password routes</li> <li class="task-list-item">Create different secrets for admin and other users</li> <li class="task-list-item">Add dynamic generation of secrets to verify JWT tokens</li> <li class="task-list-item">Introduce bug in jwt verification</li> <li class="task-list-item">Find a way to store database and mount it while using docker</li> <li class="task-list-item">Dockerize environment</li> </ul> <br /><span style="font-size: large;"><b>Authors</b></span><br /> <p>Thanks to these amazing people</p> <table> <tr> <th></th> <th></th> <th></th> </tr> <tr> <td>Rewanth Cool (Rest API)</td> <td><a href="https://github.com/rewanth1997/" rel="nofollow" target="_blank" title="Github">Github</a></td> <td><a href="https://www.linkedin.com/in/rewanthcool/" rel="nofollow" target="_blank" title="LinkedIn">LinkedIn</a></td> </tr> <tr> <td>Hrushikesh Kakade (Android App)</td> <td><a href="https://github.com/HrushikeshK/" rel="nofollow" target="_blank" title="Github">Github</a></td> <td><a href="https://www.linkedin.com/in/hrushikeshkakade/" rel="nofollow" target="_blank" title="LinkedIn">LinkedIn</a></td> </tr> <tr> <td>Akshansh Jaiswal (Android App)</td> <td><a href="https://github.com/jaiswalakshansh" rel="nofollow" target="_blank" title="Github">Github</a></td> <td><a href="https://www.linkedin.com/in/akshanshjaiswal/" rel="nofollow" target="_blank" title="LinkedIn">LinkedIn</a></td> </tr> </table> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/rewanth1997/Damn-Vulnerable-Bank" rel="nofollow" target="_blank" title="Download Damn-Vulnerable-Bank">Download Damn-Vulnerable-Bank</a></span></b></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/4199466678803929621
如有侵权请联系:admin#unsafe.sh