Welcome to DVBank Lab, an intentionally vulnerable banking application designed for learning secure code review and web application security. This project serves as both a hands-on learning environment and a comprehensive course in identifying, understanding, and fixing security vulnerabilities.
It also doubles as an AI security evaluation benchmark β a reproducible way to measure how well AI/LLM coding agents detect and exploit real web-application vulnerabilities (see π€ AI Security Evaluation Benchmark).
Inspired by DVWA (Damn Vulnerable Web Application), this project aims to provide a modern, full-stack vulnerable application specifically focused on banking security scenarios.
DVBank is also an AI security evaluation benchmark β a reproducible benchmark for evaluating AI and LLM coding agents on real web-application security tasks. If you are searching for an AI eval, an LLM security benchmark, or an AI agent / agentic CTF benchmark, this repo is a ready-made, ground-truth-labeled target.
It measures two capabilities:
- Vulnerability detection (static) β can a model find the bugs? Scored as precision / recall / F1 against a machine-readable answer key of 53 labeled vulnerabilities (CWE + OWASP Top 10 2021), with planted decoys to measure the false-positive rate.
- Agentic exploitation (CTF) β can an agent exploit a running target? 16 oracle-graded capture-the-flag challenges (JWT forgery, SQL injection, IDOR, SSRF, XXE, RCE via eval / pickle / YAML, OS command injection, path traversal, file-upload XSS, account takeover, β¦), each pass/failed by a deterministic oracle.
Contamination-resistant by design: the benchmark runs against a de-leaked clean/ variant (answer-revealing comments and docs stripped) plus programmatically mutated, held-out variants, so a model can't just read the answers β and the public repo can't simply be memorized.
β‘οΈ Everything lives in eval/ β see eval/README.md to run it.
# Static vulnerability-detection scoring (precision / recall / F1 + decoy FP-rate)
python eval/graders/detection_grader.py --truth eval/ground_truth.json \
--findings <model_findings.json> --decoys eval/decoys/manifest.json
# Agentic CTF: validate the benchmark, serve a target, then grade an agent's answers
python eval/harness/run_ctf.py selftest
python eval/harness/run_ctf.py serve
python eval/harness/run_ctf.py grade --submissions answers.jsonTopics / keywords: AI eval Β· AI evaluation benchmark Β· LLM security benchmark Β· AI agent security evaluation Β· vulnerability detection benchmark Β· agentic CTF benchmark Β· AI red-teaming Β· secure-code-review benchmark Β· OWASP / CWE benchmark for LLMs.
This project helps you master:
- Secure code review techniques
- Vulnerability identification and exploitation
- Security fix implementation
- Security assessment methodologies
- Secure coding practices
- Python 3.9+
- Flask Framework
- SQLAlchemy ORM
- JWT Authentication
- SQLite Database
- React 18
- TailwindCSS
- Lucide Icons
- Modern UI/UX
- Docker & Docker Compose
- Git Version Control
- Development Tools Integration
Detailed course materials can be found in the following files:
| Module | Description | Link |
|---|---|---|
| 0. Methodology | Secure Code Review Methodology | π Module 0 |
| 1. Application Reconnaissance | Application Reconnaissance & Attack Surface Mapping | π Module 1 |
| 2. Software Composition Analysis | Dependency Security Analysis | π Module 2 |
| 3. Authentication & Authorization | Authentication & Authorization Vulnerabilities | π Module 3 |
| 4. SQL Injection | SQL Injection Vulnerabilities | π Module 4 |
| 5. Input Validation | Input Validation Vulnerabilities | π Module 5 |
| 6. API Security | API Security Best Practices | π Module 6 |
| 7. Secure Coding | Secure Coding Practices | π Module 7 |
| 8. Static Analysis | Automated Static Analysis with Semgrep | π Module 8 |
| 9. CSRF & Clickjacking | Cross-Site Request Forgery & UI Redressing | π Module 9 |
| 10. Stored XSS & File Upload | Output Encoding & Upload Security | π Module 10 |
| 11. Auth Bypass & Business Logic | JWT Bypass, Insecure Reset, Race Conditions | π Module 11 |
Each module contains:
- Theoretical background
- Vulnerable code examples
- Exploitation techniques
- Prevention methods
- Hands-on exercises
- Additional resources
- Python 3.9 or higher
- Node.js 16 or higher
- Docker and Docker Compose (optional)
- Git
# Clone repository
git clone https://github.com/mamgad/DVBLab.git
cd DVBLab
# Launch application
docker-compose up --build# Clone repository
git clone https://github.com/mamgad/DVBLab.git
cd DVBLab
# Backend setup
cd backend
python -m venv venv
# Activate virtual environment
source venv/bin/activate # Linux/macOS
.\venv\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txt
# Start server
python app.py# In a new terminal
cd frontend
npm install
npm start- Frontend: http://localhost:3000
- Backend API: http://localhost:5000
- Username: alice, Password: password123
- Username: bob, Password: password123
vulnerable-bank/
βββ backend/ # Flask backend
β βββ routes/ # API endpoints
β β βββ auth_routes.py # Authentication
β β βββ transaction_routes.py # Transactions
β βββ app.py # Main application
β βββ models.py # Database models
β βββ requirements.txt # Python dependencies
βββ frontend/ # React frontend
β βββ src/
β β βββ components/ # React components
β β βββ App.js # Main app component
β βββ package.json # Node dependencies
βββ course/ # Educational content
β βββ modules/ # Course modules (0β11)
βββ docs/
β βββ Vulnerabilities.md # Full vulnerability inventory
β βββ exploits/ # Working exploit PoCs
βββ eval/ # π€ AI security evaluation benchmark
β βββ ground_truth.json # 53 labeled vulns (answer key)
β βββ flags.json # 16 agentic CTF challenges
β βββ graders/ # detection_grader.py + ctf_oracles.py
β βββ harness/ # run_ctf.py (selftest / serve / grade)
β βββ variants/ # clean (de-leaked) + mutated (held-out) targets
β βββ decoys/ # safe-but-suspicious code (false-positive test)
βββ docker-compose.yml # Docker configuration
- JWT-based authentication
- Password hashing
- Session management
- Money transfers
- Balance tracking
- Transaction history
- User registration
- Profile management
- Role-based access
- Authentication Bypass
- Authorization Flaws
- Input Validation
- Business Logic Flaws
- API Security Issues
- Code Review Techniques
- Vulnerability Assessment
- Security Testing
- Fix Implementation
This application contains INTENTIONAL security vulnerabilities for educational purposes:
- SQL Injection vulnerabilities
- Insecure JWT implementation
- Missing input validation
- IDOR vulnerabilities
- Race conditions
- Weak password policies
DO NOT:
- Deploy to production
- Use real credentials
- Use production data
- Host publicly
We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
- Follow security guidelines
- Course Modules
- Installation Guide
- Known Vulnerabilities - Detailed list of intentional security issues
- OWASP Foundation
- DVWA - The original inspiration for this project
- Security research community
- Open source contributors
This application contains intentional security vulnerabilities for educational purposes. The creators are not responsible for any misuse or damage caused by this application. Use at your own risk and only in a controlled, isolated environment.
Β© 2024 All Rights Reserved.
This educational material is provided for learning purposes only. The code examples and vulnerabilities demonstrated are for educational use in a controlled environment. The authors and contributors are not responsible for any misuse of the information provided.
Note: All code examples contain intentional vulnerabilities for educational purposes. Do not use in production environments.


