These Bulawayo techies are sharing info on how to hack a bank

Nigel Gambanga Avatar

You (and everyone else around you with a remote interest in technology) have probably said this a thousand and one times – cyber security is a huge concern. Sadly, the Zimbabwean discussion on anything related to that topic isn’t as loud as other issues in technology. Why should people care really?

Maybe it will take a huge cyber attack like a bank being hacked for people to listen. In the city of Bulawayo, some techies are working on that. Not, the hack, but cyber security and preparing for the worst case scenario like an intrusion.

Some people might recognise the name Owasp, a global non-profit organisation that works on improving software security. The Owasp Bulawayo chapter, in partnership with tech incubator, SkyHub, will be holding an event on 3 October at the National University of Science and Technology(NUST) called “How To Hack a Bank Using XSS”.

You can sign up for the event by following this link here

Open to the public, this meetup will have presentations on penetration testing methodology and an introduction to XSS (cross-site scripting) this delivery will include practical hands-on demos with a capture the flag event where participants will try to exploit an XSS vulnerability in a bank website to steal money from a bank account. Also under discussion will be XSS mitigation in PHP and Asp.Net.

According to Trevor Sibanda the chapter leader for Owasp Bulawayo, anyone keen on attending is required to bring a laptop and preferably have a bare minimum understanding of HTML and Javascript.

With a title like How to Hack a Bank, the event is likely to draw a lot of attention, from security enthusiasts, aspiring cyber criminals and professional hackers. Maybe they just might get more people to appreciate the need for greater focus on security.



  1. fourwallsinaroom

    You know.. I remember once approaching a certain firm (we talking top ten in zimbabwe) about a vulnerability. They said nope we dont need your help. I said oh ok, but your vulnerability affects your customers as well. They said well we will look into it. 3 years down the line it is still there. I think this is a good way to go about getting firms esp. the giants to wake up. I thought about the commercial value of the exploit, and well lets just say I could be making a tonne of money but I am not a criminal so i ve just kept quiet.

    1. tnashc

      If they haven’t lost anything and it’s just probably XSS that doesn’t compromise anything that may cause a revenue leakage then it definitely isn’t worth the effort for the company. Online privacy is really not yet much of a concern here in Zim. That’s just how the market is.

  2. Rr

    Knowing zim situation uts probarly some1 who
    1 is in the dept tht makes financial decisions and thinks an antivurus and firewall is enough
    2 some who thinks tht you are threatning their job or making them look incompetent

  3. Hacker

    Can this event be online. we all can’t come to Byo but sound interesting enough

  4. tnashc

    I likes the strikethrough on “‘aspiring cyber criminals’ and professional hackers” part.
    Anyway how to hack a bank in Zim using XSS, mmmm I honestly doubt that is possible as most bank portals have remarkable protection against XSS, basing on the portals I have used.
    I could get worried about how ATMs are currently transmitting card data across their networks though, which could easily get sniffed by some Mr Robot out there.

  5. tinm@n

    How to hack a bank using XSS…

    Why not just hack a site with XSS.

    When you say bank, what exactly are you talking about?

    What bank?

    Running what software?

    Which part of it?

    Its website?

    Its externally exposed applications/services?

    Do you know its internal structure?

    A bank can have thousands upon thousands of permutations and combinations of hardware + network + software + security configurations.

    So you cant have one way of how to hack a bank using XSS.

    We dont sensationalise in IT. How to hack a website using XSS. Without any knowledge of its internal structure, the best you may get to is breaching the website, which will probably be hosted by another company, or located in its DMZ.

    1. chokwadi

      uyu hameno zvaarikutaura but anenge anoziva,maoko angu angaakutovava but after reading back to airtym vending

    2. Zigzaya

      Also, they expect attendants to: “preferably have a bare minimum understanding of HTML and Javascript”

      And they want to hack a bank? sperm bank maybe?

    3. Charle

      when your system gets exploited, it dosen’t mean you intentionaly left the loop hole open but rather because you where not aware, in other words you thought your tengai security thing waz tight!! but later booooom!! thats when you realize, its all IT

    4. Tapiwa✔

      Without any knowledge of its internal structure, the best you may get to is breaching the website
      You’re splitting hairs: ‘breaching a website’ is more commonly known as hacking. If I modify a website so that I can transfer money from your account – that’s a hack. Since it’s possible to do this and more** using XSS, in my book it qualifies as a hack. If an attacker is able to run scripts in your websites context, you’re toast. They don’t need to know your internal network layout.

      **You can even steal user/admin credentials with XSS

      1. tinm@n

        You’re lost. That isnt what I’m talking about.

        It’s the “bank” part.

        You cannot have a generic how to “hack a bank” guide using XSS. What part?

    5. Trevor Sibanda

      If you’re in Bulawayo make sure you attend our event or access the presentation content online.

      The purpose of this event is not to point and hack a website, the purpose of the event is to teach people to be creative and think like an attacker.

      1. Roland the Anon

        Dude how do you join Owasp and what is base2 theory

      2. Lunga Dikoloti

        Hi good day saw your zimbot initiative great innovation would like to engage with you on the business aspect of it.i have a concepts that we can explore using the your platform to maximize the revenue.please get back at me ASP.Pretoria. South africa

  6. feya

    Hamurikumashure MUZAYA…Bank… bayai kumusha kwaMuzarabani monotaura nyaya idzodzo mchidziya zuva

  7. Kevin Munzwa

    dhiziri pachinhoyi

  8. purple

    This should make a good conversation piece. In this day and age what bank is still sucsceptible to a Cross Site forgery attack? Of the two banks i have internet banking, one sends a OTP to your phone while the other gives you an OTP generator device. Anyway most of these banks outsource development of the web banking to external vendors who have vast experience. So I really doubt you will be able to use it on a bank. It would be a good exercise for wannabe hackers….to bad its not in Harare.

  9. Dadaya Nkoloma

    Dont under estimate Cross Scripting.I have scanned most banks here around and almost all of them have some kind of vulnerabilites.With Metasploit, these guys can prove you guys wront.My combination is Metasploit on backtract, Acunetix, Nessus and ******

    1. Madodoya

      Makaipa baba. Munogona wena.

      1. Dadaya Nkoloma

        Thats what I do ethically

        1. Zviro Zvangu

          Dadaya Nkoloma I need to get in touch with you.

          1. Dadaya Nkoloma

            I m all yours, especially if you need penetration testing , network scanning and cyrptography.drop me an email

            1. Zviro Zvangu

              Dadaya Nkoloma my email is, lets talk more

              1. Dadaya nkoloma

                I ve sent

  10. nqobile gerald ndlovu

    What is important is for you to attend and find out. You have to trade off between cost of travel or time vs expected gain. Period.

  11. van lee chigwada

    this is nonsense. simple encoding and escaping can block client side scripting.
    or i just disable JS from my web-app.

    and you think a bank website woldnt do that. too bad i missed this.