DEV.co
Open-Source Security · Commando-X

vuln-bank

vuln-bank is an intentionally vulnerable banking web application built for security training and penetration testing practice. It simulates real-world banking features (transfers, loans, cards, bill payments) while deliberately embedding common vulnerabilities (SQL injection, XSS, broken authorization, file upload flaws, prompt injection in AI features) for hands-on learning.

Source: GitHub — github.com/Commando-X/vuln-bank
777
GitHub stars
289
Forks
HTML
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryCommando-X/vuln-bank
OwnerCommando-X
Primary languageHTML
LicenseMIT — OSI-approved
Stars777
Forks289
Open issues9
Latest releaseUnknown
Last updated2026-06-21
Sourcehttps://github.com/Commando-X/vuln-bank

What vuln-bank is

A Flask-based Python web application with PostgreSQL backend that demonstrates OWASP Top 10 and AI/LLM security flaws across authentication, APIs, GraphQL endpoints, and file operations. Includes Docker Compose setup with intentionally weak configurations (debug mode enabled, plaintext credentials in .env, no rate limiting or input validation) to maximize educational attack surface.

Quickstart

Get the vuln-bank source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Commando-X/vuln-bank.gitcd vuln-bank# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security training and certifications

Ideal for hands-on labs in OSCP, CEH, or internal security bootcamps. Provides realistic banking workflows with documented vulnerabilities to exploit and patch.

Penetration testing practice

Developers and security engineers can practice identifying and exploiting SQL injection, broken authorization (BOLA/BOPLA), file traversal, XSS, and CSRF in a safe, legal sandbox.

Secure code review training

Security reviewers can learn to spot dangerous patterns (plaintext password storage, client-controlled exchange rates, race conditions) and understand remediation patterns.

Implementation considerations

  • Isolate in air-gapped or containerized environments (Docker Compose provided); never expose to untrusted networks or the public internet.
  • Run locally on development machines or dedicated training VMs; requires full control over network access and data cleanup after exercises.
  • Database credentials and secrets are intentionally committed to .env for ease of setup; assume this is a training artifact and rotate all secrets if cloned elsewhere.
  • Flask development server with debug=True is intentional to expose Werkzeug debugger exploits; do not run behind a production WSGI server in shared spaces.
  • GraphQL schema introspection is enabled, JWT secrets are weak, and file upload paths are traversable; these are features, not bugs, for training.

When to avoid it — and what to weigh

  • Production or public-facing use — Application is explicitly designed to be vulnerable. Hosting on the internet or using with real data creates serious security and compliance violations.
  • Non-isolated or shared environments — Running on shared infrastructure, corporate networks, or multi-tenant systems risks lateral movement and data exposure. Requires complete network isolation.
  • Compliance-sensitive contexts — Banking regulations (PCI-DSS, SOX) and data protection laws (GDPR, CCPA) prohibit intentionally vulnerable systems handling financial data, even for training.
  • Integration with other systems — No stable API contracts, frequent intentional breaking changes expected, and security design is fundamentally unsound. Not suitable for integration or dependency.

License & commercial use

Licensed under MIT (OSI-approved, permissive). Permits use, modification, and distribution with minimal restrictions. Includes copyright notice and license text requirement. No patent grants or liability disclaimers beyond standard MIT terms.

MIT license permits commercial use of the code itself. However, deploying this application for any revenue-generating purpose (training services, consulting, SaaS) in production or customer-facing contexts contradicts its intentional vulnerability design and likely violates financial regulations, data protection laws, and professional liability standards. Requires legal review before any commercial deployment or integration.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

This is an intentionally vulnerable application; every flaw is by design. Do not assess for 'security posture' as production software. Key attack surfaces: SQL injection in login and GraphQL resolvers, broken authentication (weak JWT, localStorage tokens, no expiration), broken authorization (BOLA, BOPLA, mass assignment), unrestricted file uploads with path traversal, XSS, CSRF, race conditions in transactions, and prompt injection in AI features. These are training targets, not bugs to report. Only run in isolated environments with no access to production data or networks. No code hardening, no WAF bypass mitigations, no secrets management—all by design.

Alternatives to consider

DVWA (Damn Vulnerable Web Application)

Older, simpler PHP-based vulnerable app; well-established for OWASP Top 10 training. Fewer features (no AI, GraphQL, or banking domain). Better for beginners.

WebGoat (OWASP)

Java-based, lesson-driven platform with guided exercises. Includes AI/LLM security modules. More structured curriculum; less free-form penetration testing.

Juice Shop (OWASP)

JavaScript/Node.js modern vulnerable app with rich features (OAuth, API, admin panel). Larger community, active maintenance. No banking domain or AI focus.

Software development agency

Build on vuln-bank with DEV.co software developers

Clone vuln-bank, isolate it in Docker or a VM, and start identifying vulnerabilities. Use it to prepare for certifications, improve your pentesting skills, or train your team on secure coding patterns.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

vuln-bank FAQ

Can I run vuln-bank in Docker on a shared corporate network?
No. Even in containers, if the host is on a corporate network or has any connectivity to other systems, lateral movement is possible. Require air-gapped or isolated VMs (e.g., VirtualBox on a personal machine with no network bridge).
Is the .env file with credentials safe to commit?
For this educational tool only. It's intentional to reduce setup friction. Never treat this as a pattern; always exclude .env from version control in real projects and use secret management tools.
Can I use vuln-bank to teach clients or in a commercial training course?
MIT license permits redistribution. However, hosting it for paying customers or integrating it into a SaaS offering likely requires legal review regarding data protection, financial regulations, and liability. Consult your legal team before any commercial training delivery.
What's the difference between running with Docker Compose vs. local Python?
Docker Compose is easier (one command) and isolates dependencies. Local setup gives more control for debugging and direct code edits. Both are supported; choose based on your lab environment.

Software development & web development with DEV.co

Adopting vuln-bank is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Ready to Practice Security Testing?

Clone vuln-bank, isolate it in Docker or a VM, and start identifying vulnerabilities. Use it to prepare for certifications, improve your pentesting skills, or train your team on secure coding patterns.