Stepan Demianenko

Secure development coursework

BankWebsite Security Hardening

Identifying, exploiting, and mitigating web vulnerabilities in a Java/Jetty banking app.

A secure development project built on the vulnerable BankWebsite Java/Jetty application. It demonstrates how common web vulnerabilities can be exploited, then mitigated, across login, account management, balance transfers, and an admin-only password reset workflow — while preserving normal banking functionality.

RepositoryLive demo coming soon

Problem

Banking-style web applications expose login, transfers, and admin workflows that are easy to get subtly wrong, leaving exploitable security flaws inside normal-looking functionality.

Solution

The project exploited each vulnerability to prove the risk, then applied secure fixes that addressed the underlying flaw and re-tested to confirm both mitigation and preserved functionality.

Tech Stack

JavaJettyServletsSQLWeb Security

Technical Details

The important implementation choices and trade-offs behind the project.

  • Analysed the BankWebsite servlets for login, account, transfer, customer listing, and admin password reset.
  • Identified parameter tampering via trusted hidden form fields in the transfer confirmation flow.
  • Identified a critical function (admin password reset) missing proper authentication.
  • Applied server-side validation and authentication checks to remove the root causes.
  • Re-ran the original attacks to confirm mitigation and verified normal banking flows still worked.

Highlights

  • Hardened a vulnerable Java/Jetty banking application.
  • Demonstrated and fixed Hidden Form Field Trust / parameter tampering in the transfer flow.
  • Demonstrated and fixed Missing Authentication for a critical function (admin password reset).
  • Followed a show-exploit-fix-retest-verify structure for each vulnerability.
  • Focused on removing root causes rather than blocking single payloads.
  • Preserved original banking functionality after each mitigation.

Outcomes

  • Produced a clear vulnerability-to-mitigation walkthrough with before/after verification.
  • Created strong evidence of secure development and threat-modelling thinking.