Share
## https://sploitus.com/exploit?id=3D0A1229-1084-5FB4-ACD0-1416172B2807
# NileBank - Web Pen Testing Project

A realistic bank web application with **5 hidden security vulnerabilities** embedded in the code.
The team's task is to find, understand, and fix each one.

## How to Run
Open `index.html` in any browser. No server or installation needed.

**Demo Login:**
- Account: `NB-00001` / Password: `password123`
- Admin: `admin` / `admin`

---

## Pages & Hidden Bugs (for instructor reference)

| Page | File | Bug | Type |
|------|------|-----|------|
| Login | `index.html` + `js/main.js` | Credentials validated client-side in JS; no lockout | Client-side Auth + Brute Force |
| Transfer | `pages/transfer.html` + `js/transfer.js` | SQL string concatenation, no parameterization | SQL Injection |
| Search | `pages/search.html` + `js/search.js` | Search term reflected via `innerHTML` | XSS |
| Documents | `pages/upload.html` + `js/upload.js` | No file type / MIME validation | Unrestricted Upload |
| Profile | `pages/profile.html` + `js/profile.js` | `?user_id=` not checked against session; logout redirect not validated | IDOR + Open Redirect |

---

## Project Structure
```
nilebank/
โ”œโ”€โ”€ index.html              โ† Login page
โ”œโ”€โ”€ css/main.css            โ† All styles
โ”œโ”€โ”€ js/
โ”‚   โ”œโ”€โ”€ main.js             โ† Login logic (Bug #1)
โ”‚   โ”œโ”€โ”€ transfer.js         โ† Transfer logic (Bug #2)
โ”‚   โ”œโ”€โ”€ search.js           โ† Search logic (Bug #3)
โ”‚   โ”œโ”€โ”€ upload.js           โ† Upload logic (Bug #4)
โ”‚   โ””โ”€โ”€ profile.js          โ† Profile logic (Bug #5a + #5b)
โ””โ”€โ”€ pages/
    โ”œโ”€โ”€ transfer.html
    โ”œโ”€โ”€ search.html
    โ”œโ”€โ”€ upload.html
    โ””โ”€โ”€ profile.html
```