Skip to content

DeloitteDigitalAT/terracotta-bank

Repository files navigation

Terracotta Bank

Terracotta Bank is an intentionally-vulernable web application, useful for practicing detection, exploitation, and mitigation of common web application security vulnerabilities.

Terrcotta Bank binds locally to port 8080 by default, and while it is running, the machine on which it is running is vulnerable in the same way that this application is.

Getting Started

Terracotta Bank is a fully-functional Spring Boot web application that lacks most common security mechanisms and makes numerous classic security mistakes.

To run Terracotta Bank, simply clone the repo and then run:

./gradlew bootRun

And browse to localhost:8080 to begin looking for vulnerabilities.

Usage

The intent of this application is to support engineers in practicing and learning about secure coding, ethical hacking, and detection and triage techniques. There are several ways to engage with this application to achieve this.

Blind Pentesting

Because Terracotta Bank is a real web application, it can be effective to point popular pentesting tools like Burpsuite, ZAP, and sqlmap at it to discover vulnerabilities.

For example, try pointing http://sqlmap.org/ at the /login endpoint to find more than one way to log in.

Unit Tests

Terracotta Bank is equipped with dozens of intentionally failing unit tests. These are useful for praticing mitigation. As mitigation steps are added, the unit tests begin to pass, helping engineers evaluate the strength of their mitigations.

Lessons

For a more guided approach, see the /lessons folder, which has written guides explaining the nature of a given vulnerability along with some hints for how to exploit and mitigate it in the application.

Branches

For each lesson, there is a git branch with individual commits which progressively make the application more secure against the vulnerability described. Follow the commit messages to gain an understanding of good mitigations and why they are beneficial.

Releases

No releases published

Packages

No packages published