RitaNoble/openvault-bank-api-pentest
GitHub: RitaNoble/openvault-bank-api-pentest
Stars: 1 | Forks: 0
# OpenVault Bank API Penetration Test
## Overview
This repository contains a red team style API penetration testing assessment conducted against the OpenVault Bank application as part of a hands-on API security project.
The assessment focused on identifying vulnerabilities aligned with the OWASP API Security Top 10 (2023), including authorization flaws, authentication weaknesses, business logic issues, excessive data exposure, and security misconfigurations.
## Assessment Scope
### In Scope
* OpenVault Bank frontend application
* Backend API endpoints
* Authenticated and unauthenticated endpoints
* API traffic interception and analysis
* Discovery of undocumented endpoints
### Out of Scope
* Third-party integrations
* Real-world malicious exploitation
* External data exfiltration
## Methodology
The assessment followed a grey-box penetration testing methodology involving:
* Endpoint discovery
* Traffic interception and analysis
* Authentication and authorization testing
* JWT analysis
* Manual API security testing
* Automated vulnerability scanning
## Tools Used
* Burp Suite
* OWASP ZAP
* Postman
* XJWT.io
* Browser Developer Tools
* Kali Linux
## Key Vulnerabilities Identified
| Vulnerability | Severity |
| ------------------------------------------ | -------- |
| Broken Object Level Authorization (BOLA) | Critical |
| Broken Authentication | Critical |
| Broken Function Level Authorization (BFLA) | Critical |
| Excessive Data Exposure | High |
| Security Misconfiguration | High |
| Improper Inventory Management | High |
| Unrestricted Resource Consumption | High |
## Key Skills Demonstrated
* API Penetration Testing
* OWASP API Top 10 Testing
* JWT Manipulation
* Authorization Testing
* Business Logic Testing
* Burp Suite Traffic Analysis
* Vulnerability Assessment
* Security Reporting
* Risk Analysis
* Manual API Exploitation
## Disclaimer
This project was conducted in a controlled lab/training environment strictly for educational and authorized security testing purposes.
## Author
Chinyere Rita Okonkwo
Cybersecurity | Penetration Testing | API Security