🔒 Solofaze Financial - Workflow Vulnerability Demo

Pentesting Interview Demonstration - Defensive Security Analysis

⚠️ EDUCATIONAL PURPOSE ONLY: This demo recreates the 2016 fake accounts scandal workflow bypass (inspired by real-world incidents) for security training and penetration testing interviews. It demonstrates both vulnerable and secure implementations, along with detection mechanisms.

Proper Account Creation Workflow

1. Customer Request
2. Documentation
3. Manager Approval
4. Account Creation

❌ Solofaze Scandal: Employees created accounts FIRST, then forged signatures and backdated approvals to simulate proper workflow

🚨 Vulnerable Workflow (2016 Scandal Style)

This endpoint demonstrates the vulnerabilities that enabled the scandal.

  • VUL-001: Accepts client-provided timestamps
  • VUL-002: No validation that approval > creation
  • VUL-003: Workflow steps can be skipped
  • VUL-004: No rate limiting on account creation

✅ Secure Workflow (Mitigated)

This endpoint implements proper controls to prevent workflow bypass.

  • SEC-001: Server-generated timestamps (immutable)
  • SEC-002: Workflow state machine enforcement
  • SEC-003: Separation of duties validation
  • SEC-004: Rate limiting (max 5/hour)
  • SEC-005: Digital signatures (not forgeable)

🔍 Anomaly Detection Engine

Real-time pattern detection for fraudulent activity.

🎬 Demo Scenarios

Pre-configured scenarios for your interview.