GitHub - WaTF-Team/WaTF-Bank: WaTF Bank - What a Terrible Failure Mobile Banking...
source link: https://github.com/WaTF-Team/WaTF-Bank
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
What-a-Terrible-Failure Mobile Banking Application (WaTF-Bank), written in Java, Objective-C and Python (Flask framework) as a backend server, is designed to simulate a "real-world" web services-enabled mobile banking application that contains over 30 vulnerabilities.
The objective of this project:
- Application developers, programmers and architects can understand and consider how to create secure software by investigating the vulnerable app (WaTF-Bank) on both Android and iOS platforms.
- Penetration testers can practice security assessment skill in order to identify and understand the implication of the vulnerable app.
List of Vulnerabilities
OWASP Mobile Top 10 2016 Vulnerability Name M1. Improper Platform Usage- Excessive App Permissions
- Unsupported version of OS Installation Allowed
- Unrestricted Backup File
- Android Content provider Flaw
- Android Broadcast receiver Flaw
- Input Validation on API (SQL Injection, Negative value)
- Information Exposure through API Response Message
- Control of Interaction Frequency on API
- Insecure Application Local Storage
- Insecure Keychain Usage
- Unencrypted Database File
- Sensitive Information on Application Backgrounding
- Information Disclosure Through Device Logs
- Copy/Paste Buffer Caching
- Keyboard Input Caching
- Lack of Sensitive Information Masking
- Insecure SSL Verification
- Client-Side Based Authentication Flaw
- Account Enumeration
- Account Lockout Policy
- Weak Password Policy for Password/PIN
- Misuse of Biometric Authentication
- Session Management Flaw
- Hardcoded Encryption Key
- Weak Cryptographic Algorithm
- Custom Encryption Protocol
- Insecure Direct Object Reference
- Business Logic Flaw
- SQL Injection on Content provider
- Insecure URL Scheme Handler
- Unauthorized Code Modification (Application Patching)
- Weak Root/Jailbreak Detection
- Method Swizzling
- Lack of Code Obfuscation
- Application Debuggable
- Hidden Endpoint Exposure
Backend Server
Required Library
- flask
- flask_sqlalchemy
- flask_script
- flask_migrate
Easy installation through
pip3 install -r requirements.txt
Starting backend (The database will also be remigrated)
./StartServer
Project Team
- Boonpoj Thongakaraniroj
- Parameth Eimsongsak
- Prathan Phongthiproek
- Krit Saengkyongam
License
This project is using the MIT License.
Copyright (c) 2018 WaTF-Team
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK