A safe, contained training lab for learning OWASP Top 10 vulnerabilities on a fictional online bank.
⚠ Cybersecurity Training Simulation Only. All users, accounts, and transactions are fictional. This app does not connect to any real bank, payment system, or customer data. Use only for training in environments you control.
FauxBank is a modern Next.js training lab that simulates a fictional online bank with intentionally vulnerable modules. Learners practise discovering, documenting, and remediating common web-application security issues — entirely inside a sandbox.
| Feature | Description |
|---|---|
| Fictional bank portal | Dashboard, accounts, transfers, profile, loans, support, admin |
| Guided pentest mode | 6 step-by-step OWASP scenarios with hints and progress tracking |
| Simulated scanner | Severity, evidence, remediation, OWASP category — no external traffic |
| Learner dashboard | Score, scenarios completed, time spent, hints used |
| Instructor dashboard | Toggle vulnerabilities, reset progress, export findings to CSV |
| Pentest report generator | Print-to-PDF report with executive summary, findings, remediation |
| Dark, banking-styled UI | Tailwind, responsive, accessible, training-banner on every page |
| # | Lesson | Module |
|---|---|---|
| 1 | Broken Access Control (IDOR) | GET /api/accounts/[id] |
| 2 | Weak authentication / no lockout | /login |
| 3 | Stored XSS in support tickets | /support |
| 4 | Sensitive data exposure | /api/profile |
| 5 | Admin misconfiguration | /admin |
| 6 | Simulated SQL injection | /api/search |
| 7 | Missing CSRF on transfers | /api/transfer |
| 8 | Insufficient audit logging | global |
| Category | Technology |
|---|---|
| Frontend | Next.js 16 (App Router), React 19, TypeScript |
| Styling | Tailwind CSS |
| Backend | Next.js Route Handlers (Node.js) |
| Data | In-memory mock store (no native DB deps) |
| Auth | Cookie-based simulated session |
| Deployment | Vercel |
┌────────────────────────────────────┐
│ Browser (Learner / Admin) │
└──────────────┬─────────────────────┘
│
HTTPS, simulated session cookie
│
▼
┌────────────────────── Next.js App Router ──────────────────────┐
│ │
│ ┌── Public ──┐ ┌──────── (bank) Layout ────────┐ │
│ │ / │ │ /dashboard /accounts │ │
│ │ /login │ │ /transfer /profile /loans │ │
│ │ /disclaimer│ │ /support /admin │ │
│ └────────────┘ │ /lab /scanner /learner │ │
│ │ /report /instructor │ │
│ └───────────────┬───────────────┘ │
│ │ │
│ ┌─────────────── Route Handlers (/api) ───────────────────┐ │
│ │ auth · accounts · transfer · search · support · profile │ │
│ │ loans · scanner · findings · learner · instructor │ │
│ └────────────────────────┬────────────────────────────────┘ │
│ │ │
│ ┌─── lib/ ──────┴──────┐ │
│ │ db (in-memory) │ │
│ │ auth │ │
│ │ scenarios │ │
│ │ scanner │ │
│ └──────────────────────┘ │
└────────────────────────────────────────────────────────────────┘
pentest/
├── app/
│ ├── (bank)/ # Authenticated portal (sidebar layout)
│ │ ├── dashboard/ accounts/ transfer/ profile/
│ │ ├── loans/ support/ admin/
│ │ └── lab/ scanner/ learner/ report/ instructor/
│ ├── api/ # Route handlers
│ │ ├── auth/ accounts/ transfer/ search/ support/
│ │ ├── profile/ loans/ scanner/ findings/
│ │ ├── learner/ instructor/
│ ├── login/ # Public pages
│ ├── disclaimer/
│ ├── layout.tsx
│ └── page.tsx # Landing
├── components/ # Sidebar, footer, banner, badges, page header
├── lib/ # db, auth, scenarios, scanner
├── public/
├── README.md
└── screenshot.png
- Node.js 20+
- npm
git clone https://github.com/alfredang/pentest.git
cd pentest
npm install
npm run devThen open http://localhost:3000.
| Username | Password | Role |
|---|---|---|
alice |
password |
customer |
bob |
qwerty |
customer |
carol |
letmein |
customer |
admin |
admin |
admin |
trainer |
trainer |
instructor |
All credentials are intentionally weak for the Weak Authentication scenario. Do not reuse.
- Read the Disclaimer page.
- Sign in as
alice / password. - Open the Vulnerability Lab and work through scenarios.
- Run the Scanner to compare your findings.
- Add findings on the Report page and export the printable report.
- As
trainer / trainer, open the Instructor Dashboard to toggle vulnerabilities, reset learner state, or export findings as CSV.
This project is deployed at pentest-fauxbank.vercel.app. To deploy your own copy:
npm i -g vercel
vercel --proddocker build -t fauxbank .
docker run -p 3000:3000 fauxbank- Only fictional users and fake banking data are included.
- Simulated vulnerabilities exist only inside this lab and are reversible from the instructor switches or
Reset entire lab. - The app contains no real hacking tools, malware, credential theft, or destructive payloads.
- The simulated scanner does not perform any external network traffic.
- Do not use techniques learned here against systems you do not own or are not explicitly authorised to test. Unauthorised access to computer systems is illegal in most jurisdictions.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-scenario) - Commit your changes (
git commit -m 'Add scenario X') - Push to the branch (
git push origin feature/amazing-scenario) - Open a Pull Request
For larger ideas, please open a discussion first.
For educational use within authorised training environments only.
Tertiary Infotech Academy Pte. Ltd.
- OWASP Top 10 for the vulnerability taxonomy
- Next.js, React, Tailwind CSS
- The cybersecurity training community
If this lab is useful for your training, please ⭐ star the repo to support it.