You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Purpose: A purpose-built, intentionally insecure banking application used as the primary test target for SecureScope — an AI-powered GitHub security scanner with MITRE ATT&CK mapping, ransomware detection, and multi-LLM fix advisory.
11 hidden flags with scoreboard and hints at /api/ctf/*
Exploit writeups
docs/exploits/ — 10 detailed writeups with curl/Python payloads
Node.js microservice
Port 3000: prototype pollution, eval RCE, ReDoS, open redirect (CWE-1321, CWE-94)
nginx + smuggling
HTTP request smuggling setup via nginx reverse proxy (CWE-444)
MongoDB service
docker-compose adds MongoDB for NoSQL endpoints
Firebase tracking
Operator analytics via Firebase Measurement Protocol
Quick Start
# Clone and run (Python)
git clone https://github.com/OmarRao/analyzer
cd analyzer
pip install -r requirements.txt
python app.py
# Open http://localhost:5000# Or with Docker Compose (includes MongoDB + nginx)
docker-compose up
# VulnBank: http://localhost:5000# nginx proxy: http://localhost:80# Node.js: http://localhost:3000
Default credentials: admin / admin123 and user / password123
Endpoints Quick Reference
Route
Method
Blueprint
Vuln Class
CWE
/
GET
app
—
—
/login
GET, POST
auth
Weak credentials
CWE-521
/logout
GET
auth
—
—
/dashboard
GET
app
—
—
/api/auth/login
POST
auth
SQLi / Weak auth
CWE-89
/api/accounts/<id>
GET
accounts
IDOR
CWE-639
/api/accounts/<id>/transfer
POST
accounts
IDOR, business logic
CWE-639
/api/xxe/parse
POST
xxe
XXE
CWE-611
/api/ssti/render
POST
ssti
SSTI
CWE-94
/api/business/voucher
POST
business_logic
Race condition
CWE-362
/api/deserialization/restore
POST
deserialization
Pickle RCE
CWE-502
/api/nosql/search
POST
nosql
NoSQL injection
CWE-943
/api/ctf/submit
POST
ctf
—
—
/api/ctf/scoreboard
GET
ctf
—
—
http://localhost:3000/
GET
Node.js
Prototype pollution
CWE-1321
http://localhost:3000/eval
POST
Node.js
eval RCE
CWE-94
⚠�? Security Warning
THIS APPLICATION CONTAINS INTENTIONAL SECURITY VULNERABILITIES.
DO NOT deploy to any public-facing or production environment
DO NOT use real credentials, personal data, or financial information
DO NOT run on a network accessible outside your local machine
Intended for: security research, scanner validation, education, and CTF-style exercises only
What Is VulnBank?
VulnBank is a multi-module Python/Flask banking simulation containing 500+ deliberately introduced security findings across 28 CWE categories, 14 MITRE ATT&CK techniques, PCI DSS v4.0 requirements, NIST SP 800-53 Rev 5 controls, ISO 27001:2022 Annex A controls, and SANS/CWE Top 25 rankings. Every vulnerability is annotated with all applicable framework identifiers in comments, making it ideal for:
Host header injection — reset URL built from request.headers.get('Host')
api/passwordreset.py
Password Reset Poisoning
CWE-330
Token = random.randint(100000, 999999) — only 900k possibilities
api/passwordreset.py
Password Reset Poisoning
CWE-208
Timing oracle — 500ms sleep for valid email reveals account existence
api/passwordreset.py
GraphQL
CWE-400
No depth or complexity limit — deeply nested queries cause DoS
api/graphql_api.py
GraphQL
CWE-200
Introspection enabled in production — full schema exposed
api/graphql_api.py
GraphQL
CWE-89
Resolver uses f"SELECT {fields} FROM users WHERE id={id}" — SQLi + field injection
api/graphql_api.py
GraphQL
CWE-285
No field-level authorization — any user reads any user's card_number
api/graphql_api.py
JWT Algorithm Confusion
CWE-347
alg:none accepted without signature verification
api/jwt_auth.py
JWT Algorithm Confusion
CWE-347
HS256 verified with RSA public key as HMAC secret (algorithm confusion)
api/jwt_auth.py
JWT Algorithm Confusion
CWE-918
SSRF — kid header starting with http fetches remote JWKS
api/jwt_auth.py
JWT Algorithm Confusion
CWE-613
Expired JWTs accepted indefinitely — no expiry enforcement on refresh
api/jwt_auth.py
MITRE ATT&CK Coverage
Technique
Name
Examples in VulnBank
T1190
Exploit Public-Facing Application
SQLi login, XXE, file upload
T1059
Command and Scripting Interpreter
OS command injection, pickle RCE
T1059.007
JavaScript Execution (XSS)
Reflected XSS in search, admin echo
T1548
Abuse Elevation Control Mechanism
No-auth admin endpoints, IDOR
T1552
Unsecured Credentials
Hardcoded keys in config, cleartext logs
T1552.001
Credentials in Files
API keys, DB password, AWS secret in source
T1083
File and Directory Discovery
Path traversal in log read, file download
T1090
Proxy
SSRF to internal services, webhook SSRF
T1562
Impair Defenses
Missing CSRF, auth bypass
T1566
Phishing (Redirect)
Open redirect in OAuth callback
T1600
Weaken Encryption
MD5 passwords, ECB cipher mode
T1021.004
Remote Services: SSH
CMDi via SSH in admin panel
T1499
Endpoint Denial of Service
ReDoS via catastrophic regex backtracking
T1059.001
Scripting (LLM Abuse)
Prompt injection in AI financial advice endpoint
Running VulnBank
Docker Compose (recommended)
docker-compose up
# App: http://localhost:5000# MailHog (catches reset emails): http://localhost:8025
Local (without Docker)
# Clone
git clone https://github.com/OmarRao/analyzer.git
cd analyzer
# Install dependencies
pip install -r requirements.txt
# Run (binds to 0.0.0.0:5000 — LOCAL ONLY)
python app.py
Default test credentials (hardcoded intentionally):
User
Password
Role
admin
admin123
admin
alice
password1
user
bob
letmein
user
CI/CD Integration
VulnBank ships with a GitHub Actions workflow (.github/workflows/secscope-scan.yml) that automatically runs SecureScope on every push and pull request to main:
Installs Semgrep, pip-audit, and SecureScope
Runs the full scan with --sarif --sbom --compliance flags
Uploads SARIF results directly to the GitHub Security tab (requires security-events: write permission)
Archives all reports as workflow artifacts
The workflow uses continue-on-error: true so it never blocks merges — it only surfaces findings.
Postman Collection
Import vulnbank.postman_collection.json into Postman to access 35 pre-built exploit requests across 11 vulnerability folders (Auth, SQL Injection, OAuth, MFA Bypass, Password Reset, GraphQL, JWT, LDAP, Admin, Payments, File Upload).
Import steps:
Open Postman → Import → Upload Files
Select vulnbank.postman_collection.json
Set the base_url variable to http://localhost:5000
Each request includes pre-configured exploit payloads and CWE descriptions
Use with SecureScope
VulnBank is the canonical test target for SecureScope. To scan it:
Complete 6-framework coverage — ISO 27001:2022 Annex A added to all 14 api/utils/jobs/config/models files; new CWE-362 race-condition endpoints and CWE-840 negative-transfer business logic flaw