This report presents the results of a comprehensive black-box penetration test conducted against UnSAFE Bank, a deliberately insecure, undocumented banking application designed to emulate the complexities and security pitfalls of real-world financial platforms.

Deployed locally in a controlled lab environment, UnSAFE Bank features a modern multi-tier architecture: a React-based frontend, a PHP backend running on Apache with PHP-FPM, and a MySQL database. This full-stack setup mirrors common enterprise deployments and offers a broad attack surface across client-side, API, server-side, and database layers.

Unlike traditional CTF-style challenges, UnSAFE Bank is poorly documented and no longer maintained, presenting an additional layer of realism. The assessment was conducted from a pure black-box perspective, without access to source code or documentation. All vulnerabilities were identified through dynamic analysis, reverse engineering, and iterative probing.

This report documents:

• The methodology used to deploy, stabilize, and assess the environment.
• A step-by-step breakdown of critical vulnerabilities discovered — from broken authentication to remote code execution.
• Exploitation details supported by custom tooling.
• Realistic remediation recommendations based on modern web security practices.

The environment was set up on Kali Linux using Docker Compose, and all findings were reproduced in a fully isolated, reproducible lab setup to simulate real-world conditions as closely as possible.