25 Sep, Sunday
21° C

SecureMilkCarton – An intentionally vulnerable website designed to learn how to secure web applications

A project written by Thomas Laurenson, SecureMilkCarton is an intentionally vulnerable Java web application that runs on Apache Tomcat.


It seems vulnerable web applications for learning hacking or penetration testing are a dime-a-dozen. SecureMilkCarton is different, it has been specifically designed to learn how to secure a poorly written web application and how to secure a web server.

The web application itself is riddled with security issues, including:

  • Vulnerable to SQL injection attacks
  • Vulnerable to XSS attacks
  • Access control issues
  • Bad password storage practices

To add to the problem, the web server used to host the web application also suffers from a collection of security issues, including:

  • Non-existent firewall
  • Poorly configured MySQL database
  • No HTTPS configured
  • Default SSH configuration
  • Bad practice implementing security-related HTTP headers

Project Background

SecureMilkCarton is written in Java and deployed on Apache Tomcat. I am by no means a Java expert or a Java fan – not a hater, just have never really written in it… So why write it in Java? Well, the web application is the resultant product of a practical assessment I developed for the Introduction to Information Security course that I teach. This course is situated in the same semester that students are taking the Programming 3 paper in, you guessed it, the Java programming language. It has a MySQL database for user authentication and web application data storage. Again, SQL was chosen as students are also taking a Databases 2 paper which covers relational databases. So, the applications used to seem like a good fit for the degree.

Since SecureMilkCarton was specifically designed for my Introduction to Information Security course, it targets the level of the paper. This course is situated in the second year of a Bachelor of Information Technology degree. It is the first security-related paper students have taken, and only have 1 year of experience in the IT field. So it targets that general level. However, students do have a collection of practical labs and worksheets that guide them through the general framework of performing a security audit. Additionally, the assessment could easily be scaled up or down depending on specific requirements.

Project Repository

The SecureMilkCarton project is hosted on my GitHub account, available at: SecureMilkCarton

The repository is well documented, so please look over the README for technical documentation including installation, configuration, vulnerabilities, project structure, and some general usage examples.

Project Exercises and Answers

Included with SecureMilkCarton are a collection of tasks, somewhat similar to the assessment I wrote for my Introduction to Information Security course. The tasks and answers are provided in the folder called exercises in a PDF named exercises.pdf and answers.pdf. Since I want this project to be used by other tertiary institutes, the exercises and model answers are encrypted and can only be accessed with a password. This password can be provided to faculty members who can prove that they are teaching courses in accredited educational institutes. Please email me for additional information.

Source – Thomas Laurenson

Post a Comment