Skip to content

mamgad/DVBLab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

79 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

DVBank Lab: Hands-on Web Security & AI Security Evaluation Benchmark

A vulnerable banking app for secure code review β€” and an AI eval / LLM security benchmark

Welcome to DVBank Lab, an intentionally vulnerable banking application designed for learning secure code review and web application security. This project serves as both a hands-on learning environment and a comprehensive course in identifying, understanding, and fixing security vulnerabilities.

It also doubles as an AI security evaluation benchmark β€” a reproducible way to measure how well AI/LLM coding agents detect and exploit real web-application vulnerabilities (see πŸ€– AI Security Evaluation Benchmark).

Inspired by DVWA (Damn Vulnerable Web Application), this project aims to provide a modern, full-stack vulnerable application specifically focused on banking security scenarios.

πŸ€– AI Security Evaluation Benchmark (AI Evals)

DVBank is also an AI security evaluation benchmark β€” a reproducible benchmark for evaluating AI and LLM coding agents on real web-application security tasks. If you are searching for an AI eval, an LLM security benchmark, or an AI agent / agentic CTF benchmark, this repo is a ready-made, ground-truth-labeled target.

It measures two capabilities:

  1. Vulnerability detection (static) β€” can a model find the bugs? Scored as precision / recall / F1 against a machine-readable answer key of 53 labeled vulnerabilities (CWE + OWASP Top 10 2021), with planted decoys to measure the false-positive rate.
  2. Agentic exploitation (CTF) β€” can an agent exploit a running target? 16 oracle-graded capture-the-flag challenges (JWT forgery, SQL injection, IDOR, SSRF, XXE, RCE via eval / pickle / YAML, OS command injection, path traversal, file-upload XSS, account takeover, …), each pass/failed by a deterministic oracle.

Contamination-resistant by design: the benchmark runs against a de-leaked clean/ variant (answer-revealing comments and docs stripped) plus programmatically mutated, held-out variants, so a model can't just read the answers β€” and the public repo can't simply be memorized.

➑️ Everything lives in eval/ β€” see eval/README.md to run it.

# Static vulnerability-detection scoring (precision / recall / F1 + decoy FP-rate)
python eval/graders/detection_grader.py --truth eval/ground_truth.json \
  --findings <model_findings.json> --decoys eval/decoys/manifest.json

# Agentic CTF: validate the benchmark, serve a target, then grade an agent's answers
python eval/harness/run_ctf.py selftest
python eval/harness/run_ctf.py serve
python eval/harness/run_ctf.py grade --submissions answers.json

Topics / keywords: AI eval Β· AI evaluation benchmark Β· LLM security benchmark Β· AI agent security evaluation Β· vulnerability detection benchmark Β· agentic CTF benchmark Β· AI red-teaming Β· secure-code-review benchmark Β· OWASP / CWE benchmark for LLMs.

🎯 Demo

Dashboard

Dashboard Demo

Transaction System

Transactions Demo

Profile Features

Profile Features

🎯 Educational Objectives

This project helps you master:

  • Secure code review techniques
  • Vulnerability identification and exploitation
  • Security fix implementation
  • Security assessment methodologies
  • Secure coding practices

πŸ› οΈ Technology Stack

Backend

  • Python 3.9+
  • Flask Framework
  • SQLAlchemy ORM
  • JWT Authentication
  • SQLite Database

Frontend

  • React 18
  • TailwindCSS
  • Lucide Icons
  • Modern UI/UX

Development & Deployment

  • Docker & Docker Compose
  • Git Version Control
  • Development Tools Integration

πŸ“š Module Index

Detailed course materials can be found in the following files:

Module Description Link
0. Methodology Secure Code Review Methodology πŸ“˜ Module 0
1. Application Reconnaissance Application Reconnaissance & Attack Surface Mapping πŸ“˜ Module 1
2. Software Composition Analysis Dependency Security Analysis πŸ“˜ Module 2
3. Authentication & Authorization Authentication & Authorization Vulnerabilities πŸ“˜ Module 3
4. SQL Injection SQL Injection Vulnerabilities πŸ“˜ Module 4
5. Input Validation Input Validation Vulnerabilities πŸ“˜ Module 5
6. API Security API Security Best Practices πŸ“˜ Module 6
7. Secure Coding Secure Coding Practices πŸ“˜ Module 7
8. Static Analysis Automated Static Analysis with Semgrep πŸ“˜ Module 8
9. CSRF & Clickjacking Cross-Site Request Forgery & UI Redressing πŸ“˜ Module 9
10. Stored XSS & File Upload Output Encoding & Upload Security πŸ“˜ Module 10
11. Auth Bypass & Business Logic JWT Bypass, Insecure Reset, Race Conditions πŸ“˜ Module 11

Each module contains:

  • Theoretical background
  • Vulnerable code examples
  • Exploitation techniques
  • Prevention methods
  • Hands-on exercises
  • Additional resources

πŸš€ Quick Start

Prerequisites

  • Python 3.9 or higher
  • Node.js 16 or higher
  • Docker and Docker Compose (optional)
  • Git

Docker Setup (Recommended)

# Clone repository
git clone https://github.com/mamgad/DVBLab.git
cd DVBLab

# Launch application
docker-compose up --build

Manual Setup

Backend (Python/Flask)

# Clone repository
git clone https://github.com/mamgad/DVBLab.git
cd DVBLab

# Backend setup
cd backend
python -m venv venv

# Activate virtual environment
source venv/bin/activate  # Linux/macOS
.\venv\Scripts\activate   # Windows

# Install dependencies
pip install -r requirements.txt

# Start server
python app.py

Frontend (React)

# In a new terminal
cd frontend
npm install
npm start

Access the Application

Test Credentials

  • Username: alice, Password: password123
  • Username: bob, Password: password123

πŸ—οΈ Project Structure

vulnerable-bank/
β”œβ”€β”€ backend/                  # Flask backend
β”‚   β”œβ”€β”€ routes/              # API endpoints
β”‚   β”‚   β”œβ”€β”€ auth_routes.py   # Authentication
β”‚   β”‚   └── transaction_routes.py  # Transactions
β”‚   β”œβ”€β”€ app.py              # Main application
β”‚   β”œβ”€β”€ models.py           # Database models
β”‚   └── requirements.txt    # Python dependencies
β”œβ”€β”€ frontend/               # React frontend
β”‚   β”œβ”€β”€ src/
β”‚   β”‚   β”œβ”€β”€ components/    # React components
β”‚   β”‚   └── App.js        # Main app component
β”‚   └── package.json      # Node dependencies
β”œβ”€β”€ course/               # Educational content
β”‚   └── modules/         # Course modules (0–11)
β”œβ”€β”€ docs/
β”‚   β”œβ”€β”€ Vulnerabilities.md   # Full vulnerability inventory
β”‚   └── exploits/            # Working exploit PoCs
β”œβ”€β”€ eval/                 # πŸ€– AI security evaluation benchmark
β”‚   β”œβ”€β”€ ground_truth.json    # 53 labeled vulns (answer key)
β”‚   β”œβ”€β”€ flags.json           # 16 agentic CTF challenges
β”‚   β”œβ”€β”€ graders/             # detection_grader.py + ctf_oracles.py
β”‚   β”œβ”€β”€ harness/             # run_ctf.py (selftest / serve / grade)
β”‚   β”œβ”€β”€ variants/            # clean (de-leaked) + mutated (held-out) targets
β”‚   └── decoys/              # safe-but-suspicious code (false-positive test)
└── docker-compose.yml   # Docker configuration

πŸ”’ Security Features

Authentication System

  • JWT-based authentication
  • Password hashing
  • Session management

Transaction System

  • Money transfers
  • Balance tracking
  • Transaction history

User Management

  • User registration
  • Profile management
  • Role-based access

🎯 Learning Objectives

Vulnerability Categories

  1. Authentication Bypass
  2. Authorization Flaws
  3. Input Validation
  4. Business Logic Flaws
  5. API Security Issues

Security Skills

  1. Code Review Techniques
  2. Vulnerability Assessment
  3. Security Testing
  4. Fix Implementation

⚠️ Security Notice

This application contains INTENTIONAL security vulnerabilities for educational purposes:

  1. SQL Injection vulnerabilities
  2. Insecure JWT implementation
  3. Missing input validation
  4. IDOR vulnerabilities
  5. Race conditions
  6. Weak password policies

DO NOT:

  • Deploy to production
  • Use real credentials
  • Use production data
  • Host publicly

🀝 Contributing

We welcome contributions! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Submit a pull request
  4. Follow security guidelines

πŸ“š Additional Resources

Documentation

External Resources

πŸ™ Acknowledgments

  • OWASP Foundation
  • DVWA - The original inspiration for this project
  • Security research community
  • Open source contributors

⚠️ Disclaimer

This application contains intentional security vulnerabilities for educational purposes. The creators are not responsible for any misuse or damage caused by this application. Use at your own risk and only in a controlled, isolated environment.


Legal Notice

Β© 2024 All Rights Reserved.

This educational material is provided for learning purposes only. The code examples and vulnerabilities demonstrated are for educational use in a controlled environment. The authors and contributors are not responsible for any misuse of the information provided.

Note: All code examples contain intentional vulnerabilities for educational purposes. Do not use in production environments.

About

This course uses a deliberately vulnerable banking application to demonstrate common security vulnerabilities, their impact, and how to fix them. The application is built with Flask (backend) and React (frontend).

Topics

Resources

Stars

58 stars

Watchers

3 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors