SecureBank is a comprehensive banking application simulation designed for educational purposes, particularly focusing on web security and SQL injection vulnerabilities. This application provides a realistic banking interface with features such as account management, transaction tracking, feedback system, and a detailed Help & FAQ section.
IMPORTANT NOTE: This application contains intentional security vulnerabilities as part of a Capture The Flag (CTF) exercise focused on SQL injection. These vulnerabilities are for educational purposes only and should not be implemented in production environments.
- Features
- Setup and Installation
- Running Locally
- Project Structure
- API and Backend
- Database Structure
- Security Vulnerabilities
- Pages and Components
- Technologies Used
- Development Workflow
- Deployment
- Contributing
- License
SecureBank offers a comprehensive set of features designed to simulate a real banking application:
- User authentication (login/logout)
- Account registration
- Profile management
- Session tracking (last login time)
- View transaction history
- Add new transactions (credit/debit)
- Search and filter transactions
- Transaction categorization
- Submit feedback on the application
- View feedback from other users
- Feedback history tracking
- Comprehensive FAQ section organized by categories
- Searchable FAQ database
- Quick tips and security recommendations
- Additional help resources
- Password protection
- Session management with signed cookies
- Secure routing
- Intentional SQL injection vulnerabilities for educational purposes
- Node.js (v18.0.0 or higher)
- npm (v8.0.0 or higher)
- Navigate to Project Directory (from Root):
cd frontend- Install dependencies:
npm ciNote: We use npm ci instead of npm install to ensure exact versions from package-lock.json are installed.
- Set up environment variables (Already comitted in Repo):
Create a
.env.localfile in the root directory with the following variables:COOKIE_SECRET=p9Y!2m@lK8z$1WqA7&dE4Xu0Cj
To run the application locally:
- Navigate to Project Directory (from Root):
cd frontend- Start the development server:
npm run dev-
Access the application: Open your browser and navigate to
http://localhost:3000 -
Login credentials: For testing purposes, you can use the following credentials:
- Username:
admin - Password:
admin123
or
- Username:
sunny.admin - Password:
sunny.admin123
Or register a new account through the registration page.
- Username:
frontend/
├── app/ # Next.js App Router directory
│ ├── api/ # API routes for backend functionality
│ │ ├── feedback/ # Feedback API endpoints
│ │ │ └── route.ts
│ │ ├── get-session/ # Session management endpoints
│ │ │ └── route.ts
│ │ ├── login/ # Authentication endpoints
│ │ │ └── route.ts
│ │ ├── logout/ # Logout functionality
│ │ │ └── route.ts
│ │ ├── register/ # User registration
│ │ │ └── route.ts
│ │ └── transactions/ # Transaction management
│ │ └── route.ts
│ ├── dashboard/ # Dashboard pages
│ │ ├── feedback/ # Feedback system
│ │ │ └── page.tsx
│ │ ├── transactions/ # Transaction management
│ │ │ ├── add/
│ │ │ │ └── page.tsx # Add transaction form
│ │ │ └── page.tsx # Transaction list
│ │ └── page.tsx # Main dashboard
│ ├── help-faq/ # Help & FAQ section
│ │ └── page.tsx
│ ├── login/ # Login page
│ │ └── page.tsx
│ ├── public/ # Public discussions page
│ │ └── discussions/
│ │ └── page.tsx
│ ├── register/ # Registration page
│ │ └── page.tsx
│ ├── globals.css # Global CSS styles
│ ├── layout.tsx # Root layout
│ └── page.tsx # Landing page
├── components/ # Shared components (not shown in file structure)
│ ├── ui/ # UI components
│ └── ...
├── database/ # Database configuration and setup
│ └── db.ts # SQLite database initialization
├── lib/ # Utility functions and libraries
│ └── utils.ts
├── public/ # Static assets
│ ├── digital-flow.png
│ ├── interconnected-banking.png
│ └── secure-future-hands.png
├── .env.local # Environment variables
├── .eslintrc.json # ESLint configuration
├── .gitignore # Git ignore file
├── database.sqlite # SQLite database file
├── next.config.mjs # Next.js configuration
├── package.json # Project dependencies
├── README.md # Project documentation
├── tailwind.config.ts # Tailwind CSS configuration
└── tsconfig.json # TypeScript configuration
└── Dockerfile # Build structset
└── .dockerignore # Docker ignore file (node_modules, etc.)
└── start.sh # Start script for Docker
The application uses Next.js App Router API routes to handle backend functionality. Each API endpoint is implemented as a route handler in the app/api directory.
/api/feedback: Manages user feedback submissions and retrieval/api/get-session: Handles session management and user information retrieval/api/login: Authenticates users and creates secure sessions/api/logout: Terminates user sessions/api/register: Handles new user registration/api/transactions: Manages transaction creation and retrieval
The application uses signed cookies for secure authentication:
- User submits login credentials
- Server validates credentials against the database
- On successful authentication, a signed session cookie is created using cookie-signature
- Session information includes username and role
- Protected routes verify the session cookie before granting access
Example from the login route handler:
// Create signed session cookie
const sessionData = JSON.stringify({ username: decodedUsername, role: user.role });
const secret = process.env.COOKIE_SECRET!;
const signedSession = cookieSignature.sign(sessionData, secret);
// Set the cookie
(await cookies()).set("session", signedSession, {
httpOnly: true,
secure: process.env.NODE_ENV === "production",
sameSite: "strict",
maxAge: 60 * 60 * 24, // 1-day expiration
path: "/",
});The application uses SQLite with better-sqlite3 for data storage. The database schema is defined in database/db.ts:
- Users
CREATE TABLE IF NOT EXISTS Users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username VARCHAR(1000) UNIQUE,
password VARCHAR(1000),
role VARCHAR(1000)
);- Transactions
CREATE TABLE IF NOT EXISTS Transactions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
sender VARCHAR(1000),
recipient VARCHAR(1000),
amount INTEGER
);- Feedback
CREATE TABLE IF NOT EXISTS feedback (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user TEXT NOT NULL,
message TEXT NOT NULL,
date TEXT DEFAULT CURRENT_TIMESTAMP,
read BOOLEAN DEFAULT 0
);The database is initialized with a default admin user if one doesn't exist:
// Inserts a hardcoded admin user if none exists
const adminExists = db.prepare("SELECT * FROM Users WHERE username = 'admin'").get();
if (!adminExists) {
db.prepare("INSERT INTO Users (username, password, role) VALUES (?, ?, ?)").run(
"admin",
"admin123",
"admin"
);
console.log("Admin user created: admin / admin123");
} else {
console.log("Admin user already exists.");
}-
Landing Page (
/):- Introduction to SecureBank
- Login and registration links
- Animated background using Vanta.js
-
Login Page (
/login):- User authentication form
- Error handling for invalid credentials
- Link to registration page
-
Registration Page (
/register):- New user registration form
- Password confirmation
- Form validation
-
Dashboard (
/dashboard):- Account overview
- Recent transactions
- Financial statistics
- Quick links to other sections
-
Transactions (
/dashboard/transactions):- Transaction history table
- Search and filter functionality
- Transaction summary cards
-
Add Transaction (
/dashboard/transactions/new):- Form to add new transactions
- Date picker
- Transaction type selection
-
Feedback (
/dashboard/feedback):- Feedback submission form
- Feedback history
- Statistics on feedback
-
Help & FAQ (
/help-faq):- Categorized FAQ sections
- Search functionality (vulnerable to SQL injection)
- Contact information
-
Navigation Bar:
- Present on all authenticated pages
- Links to main sections
- Logout button
-
Transaction Cards:
- Display transaction information
- Color-coded by transaction type
-
FAQ Accordion:
- Expandable FAQ items
- Category filtering
-
Search Components:
- Present in transactions and FAQ pages
- Vulnerable to SQL injection (intentionally)
-
Form Components:
- Login, registration, transaction, and feedback forms
- Input validation
- Next.js: React framework for server-rendered applications
- React: JavaScript library for building user interfaces
- TypeScript: Typed superset of JavaScript
- Tailwind CSS: Utility-first CSS framework
- Vanta.js: 3D animated backgrounds on login screen.
- Next.js API Routes: Server-side API endpoints
- better-sqlite3: SQLite database driver for Node.js
- cookie-signature: For signing and verifying cookies
- next/headers: For cookie management in route handlers
- ESLint: JavaScript linting utility
- Prettier: Code formatter
- Git: Version control system
- Pages: Located in the
appdirectory following Next.js App Router conventions - API Routes: Server-side endpoints in the
app/apidirectory - Components: Reusable UI elements in the
componentsdirectory - Database: SQLite setup and schema in the
databasedirectory - Styles: Tailwind CSS utility classes with global styles in
globals.css - Utils: Helper functions in the
libdirectory
- Create new components in the
componentsdirectory - Add new pages in the appropriate directories under
app - Implement API endpoints in the
app/apidirectory - Update database schema if necessary at
database/db.ts - Test the feature locally
- Commit changes with descriptive commit messages
- Follow TypeScript type definitions
- Use React hooks for state management
- Implement responsive design using Tailwind's responsive utilities
- Keep components small and focused on a single responsibility
- Use semantic HTML elements
- Properly sanitize user inputs in production code (intentionally not done in some places for CTF)
This project is licensed under the MIT License - see the LICENSE file for details.
This application contains intentional security vulnerabilities for educational purposes. Do not use this code in production environments without addressing these vulnerabilities. The creators of this application are not responsible for any misuse or damage caused by the code.
Last updated: April 15, 2025
Created for educational purposes only for CSCI3540U - Ontario Tech - CTF Final Major Project.