Share
## https://sploitus.com/exploit?id=3D0A1229-1084-5FB4-ACD0-1416172B2807
# NileBank - Web Pen Testing Project
A realistic bank web application with **5 hidden security vulnerabilities** embedded in the code.
The team's task is to find, understand, and fix each one.
## How to Run
Open `index.html` in any browser. No server or installation needed.
**Demo Login:**
- Account: `NB-00001` / Password: `password123`
- Admin: `admin` / `admin`
---
## Pages & Hidden Bugs (for instructor reference)
| Page | File | Bug | Type |
|------|------|-----|------|
| Login | `index.html` + `js/main.js` | Credentials validated client-side in JS; no lockout | Client-side Auth + Brute Force |
| Transfer | `pages/transfer.html` + `js/transfer.js` | SQL string concatenation, no parameterization | SQL Injection |
| Search | `pages/search.html` + `js/search.js` | Search term reflected via `innerHTML` | XSS |
| Documents | `pages/upload.html` + `js/upload.js` | No file type / MIME validation | Unrestricted Upload |
| Profile | `pages/profile.html` + `js/profile.js` | `?user_id=` not checked against session; logout redirect not validated | IDOR + Open Redirect |
---
## Project Structure
```
nilebank/
โโโ index.html โ Login page
โโโ css/main.css โ All styles
โโโ js/
โ โโโ main.js โ Login logic (Bug #1)
โ โโโ transfer.js โ Transfer logic (Bug #2)
โ โโโ search.js โ Search logic (Bug #3)
โ โโโ upload.js โ Upload logic (Bug #4)
โ โโโ profile.js โ Profile logic (Bug #5a + #5b)
โโโ pages/
โโโ transfer.html
โโโ search.html
โโโ upload.html
โโโ profile.html
```