BankSploit · Forgot password

BankSploit Vuln Mode

Lab: ON Hints: shownAll→

Forgot password

Back to sign in

Difficulty for this pageSet level:

⚠ Lab Mode — vulnerabilities on this page

L25 · level 0 Session puzzling (forgot-password) — Submit a victim's email at /forgot-password, then browse straight to /dashboard — you are logged in as them (the admin's email yields an admin session). The security questions are never needed.
L13 · level 0 Predictable reset tokens — Guess another user's reset token and take over the account.
L16 · level 0 Account enumeration — Enumerate valid Customer IDs / emails from differing responses.

🔎 Vulnerable vs. Secure (L3) codeView code for

🔎

Font

Live level: level 0

Set level:

☠ Vulnerable (current level) · /var/www/html/modules/auth/_shared.php

142        if ($level === 0) {
143            $token = base64_encode($userId . ':' . time());
144        } elseif ($level === 1) {
145            $token = base64_encode('bs:' . $userId . ':' . time());
365            $decoded = bs_b64url_decode($token);
366            if (preg_match('/^(.+):([a-f0-9]{32})$/', $decoded, $m)) {
367                $st = $pdo->prepare('SELECT id, email FROM users WHERE customer_id = :c LIMIT 1');
368                $st->execute([':c' => $m[1]]);
369                if (($row = $st->fetch()) && md5((string) $row['email']) === $m[2]) {
370                    return (int) $row['id'];
371                }
372            }

🛡 Secure (L3) · /var/www/html/modules/auth/_shared.php

148        } else {
149            $token = bin2hex(random_bytes(32));
150        }
376        return auth_consume_reset_token($pdo, $token);

Live level: level 0

Set level:

☠ Vulnerable (current level) · /var/www/html/modules/auth/login_vuln.php

102            $exists = $pdo->prepare('SELECT 1 FROM users WHERE customer_id = :cid LIMIT 1');
103            $exists->execute([':cid' => $customerId]);
104            $error = $exists->fetchColumn()
105                ? 'Incorrect password.'
106                : 'Customer ID not found.';

🛡 Secure (L3) · /var/www/html/modules/auth/login_secure.php

110            $error = 'Invalid credentials.';

⚠ Intentionally vulnerable application — local security training only.