Scenarios

Login form on online.keensafeglobalbank.com is vulnerable to SQL injection. The injected query exfiltrates rows from the users table.

GET /api/v1/accounts/{id} returns account data for any id without ownership checks.

GET /api/v1/fetch?url= follows arbitrary URLs, including the AWS instance metadata service simulation host.

CTI feed surfaced vpn.user@keensafeglobalbank.com:Summer2025!. Combined with no MFA on legacy VPN this would yield direct internal access.

Jenkins admin credentials are weak and build logs leak fake AWS keys. Stolen keys pivot into S3 + IAM.

Chatbot at chatbot.keensafeglobalbank.com responds to 'ignore previous instructions' by leaking the system prompt and customer-record content.

CTI lkc-007 (admin@keensafeglobalbank.com:Admin123! from stealer log) reused on /admin/login.