Black Box Testing On a Banking App

I've been going down the cybersecurity rabbit hole lately specifically application security and turns out breaking stuff is genuinely fun. So I did what any reasonable person does: found an intentionally vulnerable banking app and went to practice.

The Setup

Target: demo.testfire.net . Mode: pure black-box - no source code & no hints. Just me, Brave, and Burp Suite ready to cause some problems.

What I Found

Short answer: a lot. Long answer: 25 vulnerabilities. Built different. Unfortunately, that difference was entirely in the wrong direction.

The Fun Stuff 💥

• XSS worked instantly (yes, alert() popped)
• SQL Injection bypassed login like it was nothing ('OR 1=1-- supremacy)
• Admin login worked with just admin / admin
• Client-side validation? Completely bypassed (just had to disable JavaScript)

The Weird Stuff 🤨

• Broken links everywhere..... less a website, more a 404 collection.
• A submit button that does absolutely nothing (decorative I guess).
• Backend serving wrong content to wrong pages for no reason whatsoever.
• A survey that completely ignores your answers (truly the most relatable feature ong).

The Serious Stuff 🔐

• Authentication? Broken. Like, fundamentally.
• Access control issues (users seeing things they shouldn't).
• Information leaks spilling server details and documents like it's a public blog.

Full Report 📄

I documented everything — every payload, every response, every "wait, really?" moment.

What I Actually Learned

Security isn't always some elite hacker movie moment. Most of these came down to bad validation, weak logic, and genuinely avoidable mistakes. "The scariest vulnerabilities aren't complex... they are lazy." - Our college professor (bro left college after 1 month btw).

Was This Hacking?

Technically no. Legally yes I'm fine. It's a demo site so the whole point is getting broken. But honestly, poking at how systems fall apart is the fastest way to understand how to build ones that don't. 10/10 would break again. 😌