Code Monkey home page Code Monkey logo

watf-bank's Introduction

WaTF-Bank

License: MIT

What-a-Terrible-Failure Mobile Banking Application (WaTF-Bank), written in Java, Objective-C and Python (Flask framework) as a backend server, is designed to simulate a "real-world" web services-enabled mobile banking application that contains over 30 vulnerabilities.

The objective of this project:

  • Application developers, programmers and architects can understand and consider how to create secure software by investigating the vulnerable app (WaTF-Bank) on both Android and iOS platforms.
  • Penetration testers can practice security assessment skill in order to identify and understand the implication of the vulnerable app.

List of Vulnerabilities

OWASP Mobile Top 10 2016 Vulnerability Name
M1. Improper Platform Usage
  • Excessive App Permissions
  • Unsupported version of OS Installation Allowed
  • Unrestricted Backup File
  • Android Content provider Flaw
  • Android Broadcast receiver Flaw
  • Input Validation on API (SQL Injection, Negative value)
  • Information Exposure through API Response Message
  • Control of Interaction Frequency on API
M2. Insecure Data Storage
  • Insecure Application Local Storage
  • Insecure Keychain Usage
  • Unencrypted Database File
  • Sensitive Information on Application Backgrounding
  • Information Disclosure Through Device Logs
  • Copy/Paste Buffer Caching
  • Keyboard Input Caching
  • Lack of Sensitive Information Masking
M3. Insecure Communication
  • Insecure SSL Verification
M4. Insecure Authentication
  • Client-Side Based Authentication Flaw
  • Account Enumeration
  • Account Lockout Policy
  • Weak Password Policy for Password/PIN
  • Misuse of Biometric Authentication
  • Session Management Flaw
M5. Insufficient Cryptography
  • Hardcoded Encryption Key
  • Weak Cryptographic Algorithm
  • Custom Encryption Protocol
M6. Insecure Authorization
  • Insecure Direct Object Reference
  • Business Logic Flaw
M7 Client Code Quality
  • SQL Injection on Content provider
  • Insecure URL Scheme Handler
M8. Code Tampering
  • Unauthorized Code Modification (Application Patching)
  • Weak Root/Jailbreak Detection
  • Method Swizzling
M9. Reverse Engineering
  • Lack of Code Obfuscation
M10. Extraneous Functionality
  • Application Debuggable
  • Hidden Endpoint Exposure

Backend Server

Required Library

  • flask
  • flask_sqlalchemy
  • flask_script
  • flask_migrate

Easy installation through

pip3 install -r requirements.txt

Starting backend (The database will also be remigrated)

./StartServer

Project Team

  • Boonpoj Thongakaraniroj
  • Parameth Eimsongsak
  • Prathan Phongthiproek
  • Krit Saengkyongam

License

This project is using the MIT License.

Copyright (c) 2018 WaTF-Team

watf-bank's People

Contributors

watf-team avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.