vuln-bank
vuln-bank is an intentionally vulnerable banking web application built for security training and penetration testing practice. It simulates real-world banking features (transfers, loans, cards, bill payments) while deliberately embedding common vulnerabilities (SQL injection, XSS, broken authorization, file upload flaws, prompt injection in AI features) for hands-on learning.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | Commando-X/vuln-bank |
| Owner | Commando-X |
| Primary language | HTML |
| License | MIT — OSI-approved |
| Stars | 777 |
| Forks | 289 |
| Open issues | 9 |
| Latest release | Unknown |
| Last updated | 2026-06-21 |
| Source | https://github.com/Commando-X/vuln-bank |
What vuln-bank is
A Flask-based Python web application with PostgreSQL backend that demonstrates OWASP Top 10 and AI/LLM security flaws across authentication, APIs, GraphQL endpoints, and file operations. Includes Docker Compose setup with intentionally weak configurations (debug mode enabled, plaintext credentials in .env, no rate limiting or input validation) to maximize educational attack surface.
Get the vuln-bank source
Clone the repository and explore it locally.
git clone https://github.com/Commando-X/vuln-bank.gitcd vuln-bank# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Isolate in air-gapped or containerized environments (Docker Compose provided); never expose to untrusted networks or the public internet.
- Run locally on development machines or dedicated training VMs; requires full control over network access and data cleanup after exercises.
- Database credentials and secrets are intentionally committed to .env for ease of setup; assume this is a training artifact and rotate all secrets if cloned elsewhere.
- Flask development server with debug=True is intentional to expose Werkzeug debugger exploits; do not run behind a production WSGI server in shared spaces.
- GraphQL schema introspection is enabled, JWT secrets are weak, and file upload paths are traversable; these are features, not bugs, for training.
When to avoid it — and what to weigh
- Production or public-facing use — Application is explicitly designed to be vulnerable. Hosting on the internet or using with real data creates serious security and compliance violations.
- Non-isolated or shared environments — Running on shared infrastructure, corporate networks, or multi-tenant systems risks lateral movement and data exposure. Requires complete network isolation.
- Compliance-sensitive contexts — Banking regulations (PCI-DSS, SOX) and data protection laws (GDPR, CCPA) prohibit intentionally vulnerable systems handling financial data, even for training.
- Integration with other systems — No stable API contracts, frequent intentional breaking changes expected, and security design is fundamentally unsound. Not suitable for integration or dependency.
License & commercial use
Licensed under MIT (OSI-approved, permissive). Permits use, modification, and distribution with minimal restrictions. Includes copyright notice and license text requirement. No patent grants or liability disclaimers beyond standard MIT terms.
MIT license permits commercial use of the code itself. However, deploying this application for any revenue-generating purpose (training services, consulting, SaaS) in production or customer-facing contexts contradicts its intentional vulnerability design and likely violates financial regulations, data protection laws, and professional liability standards. Requires legal review before any commercial deployment or integration.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
This is an intentionally vulnerable application; every flaw is by design. Do not assess for 'security posture' as production software. Key attack surfaces: SQL injection in login and GraphQL resolvers, broken authentication (weak JWT, localStorage tokens, no expiration), broken authorization (BOLA, BOPLA, mass assignment), unrestricted file uploads with path traversal, XSS, CSRF, race conditions in transactions, and prompt injection in AI features. These are training targets, not bugs to report. Only run in isolated environments with no access to production data or networks. No code hardening, no WAF bypass mitigations, no secrets management—all by design.
Alternatives to consider
DVWA (Damn Vulnerable Web Application)
Older, simpler PHP-based vulnerable app; well-established for OWASP Top 10 training. Fewer features (no AI, GraphQL, or banking domain). Better for beginners.
WebGoat (OWASP)
Java-based, lesson-driven platform with guided exercises. Includes AI/LLM security modules. More structured curriculum; less free-form penetration testing.
Juice Shop (OWASP)
JavaScript/Node.js modern vulnerable app with rich features (OAuth, API, admin panel). Larger community, active maintenance. No banking domain or AI focus.
Build on vuln-bank with DEV.co software developers
Clone vuln-bank, isolate it in Docker or a VM, and start identifying vulnerabilities. Use it to prepare for certifications, improve your pentesting skills, or train your team on secure coding patterns.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
vuln-bank FAQ
Can I run vuln-bank in Docker on a shared corporate network?
Is the .env file with credentials safe to commit?
Can I use vuln-bank to teach clients or in a commercial training course?
What's the difference between running with Docker Compose vs. local Python?
Software development & web development with DEV.co
Adopting vuln-bank is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Ready to Practice Security Testing?
Clone vuln-bank, isolate it in Docker or a VM, and start identifying vulnerabilities. Use it to prepare for certifications, improve your pentesting skills, or train your team on secure coding patterns.