BankSploit · Login

BankSploit Vuln Mode

Lab: ON Hints: shownAll→

Sign in to BankSploit

Forgot password? Create account

Try BS100234 / password123, or bypass with ADMIN001' -- (trailing space).

Difficulty for this pageSet level:

⚠ Lab Mode — vulnerabilities on this page

G1 · level 0 SQL injection (login bypass) — Login as any user with ' OR 1=1 -- in customer_id. At level 1 a basic blacklist blocks OR but not UNION.
L10 · level 0 OTP brute-force — Only 10,000 combinations and the code stays valid for 24h — at ~500 req/s any OTP falls in seconds.
L11 · level 0 OTP in response body — Read the OTP straight from the login API response — no SMS access needed.
L14 · level 0 Session fixation — Attacker fixes a known PHPSESSID, victim logs in, attacker reuses the same ID.
L16 · level 0 Account enumeration — Enumerate valid Customer IDs / emails from differing responses.

🔎 Vulnerable vs. Secure (L3) codeView code for

🔎

Font

Live level: level 0

Set level:

☠ Vulnerable (current level) · /var/www/html/modules/auth/login_vuln.php

78            $sql = "SELECT id, customer_id, name, role FROM users "
79                 . "WHERE customer_id = '" . $cid . "' "
80                 . "AND password_md5 = '" . md5($password) . "' LIMIT 1";

🛡 Secure (L3) · /var/www/html/modules/auth/login_secure.php

30        $stmt = $pdo->prepare(
31            'SELECT id, customer_id, name, role, password_hash, is_locked, locked_until
32               FROM users WHERE customer_id = :cid LIMIT 1'
33        );
34        $stmt->execute([':cid' => $customerId]);
35        $row = $stmt->fetch();
53        if ($row && password_verify($password, (string) $row['password_hash'])) {
54            auth_reset_failures($pdo, (int) $row['id']);
55            unset($row['password_hash'], $row['is_locked'], $row['locked_until']);
56            return ['ok' => true, 'user' => $row, 'error' => null, 'locked' => false];
57        }

Live level: level 0

Set level:

☠ Vulnerable (current level) · /var/www/html/modules/auth/_shared.php

91        if ($secure) {
92            // Rate-limit OTP verification the same way as login (shared counter).
93            if (auth_is_locked($pdo, $userId)) {
94                return false;
95            }
96        }

🛡 Secure (L3) · /var/www/html/modules/auth/_shared.php

91        if ($secure) {
92            // Rate-limit OTP verification the same way as login (shared counter).
93            if (auth_is_locked($pdo, $userId)) {
94                return false;
95            }
96        }

Live level: level 0

Set level:

☠ Vulnerable (current level) · /var/www/html/modules/auth/_shared.php

61        if ($level === 0) {
62            return ['otp' => $code];
63        }
64        if ($level === 1) {
65            // "Nested deeper" so it looks like an innocuous debug block.
66            return ['debug' => ['sms' => ['to' => '+91*****', 'otp' => $code, 'sent' => true]]];
67        }

🛡 Secure (L3) · /var/www/html/modules/auth/_shared.php

70        return [];

Live level: level 0

Set level:

☠ Vulnerable (current level) · /var/www/html/core/Session.php

64        if (self::isSecureLevel()) {
65            self::regenerate();
66        }
67        // level 0: deliberately do nothing -> fixation.

🛡 Secure (L3) · /var/www/html/core/Session.php

64        if (self::isSecureLevel()) {
65            self::regenerate();
66        }
67        // level 0: deliberately do nothing -> fixation.

Live level: level 0

Set level:

☠ Vulnerable (current level) · /var/www/html/modules/auth/login_vuln.php

102            $exists = $pdo->prepare('SELECT 1 FROM users WHERE customer_id = :cid LIMIT 1');
103            $exists->execute([':cid' => $customerId]);
104            $error = $exists->fetchColumn()
105                ? 'Incorrect password.'
106                : 'Customer ID not found.';

🛡 Secure (L3) · /var/www/html/modules/auth/login_secure.php

110            $error = 'Invalid credentials.';

⚠ Intentionally vulnerable application — local security training only.