Skip to content
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities a…
Branch: master
Clone or download
Latest commit d3facad Mar 3, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
ajax =2.6.67 Sep 28, 2018
classes =2.7.2 Jan 2, 2019
data =2.6.72 Nov 14, 2018
documentation =2.7.9 Mar 3, 2019
images =2.7.5 Jan 5, 2019
includes =2.7.9 Mar 3, 2019
javascript =2.6.67 Sep 28, 2018
owasp-esapi-php =2.7.1 Jan 1, 2019
passwords =2.6.67 Sep 28, 2018
phpmyadmin =2.6.67 Sep 28, 2018
styles
test/testoutput
webservices =2.6.67 Sep 28, 2018
.htaccess
Dockerfile =2.7.7 Jan 23, 2019
README-INSTALLATION.md =2.6.69 Sep 30, 2018
README.md =2.6.69 Sep 30, 2018
add-to-your-blog.php =2.7.1 Jan 1, 2019
arbitrary-file-inclusion.php
authorization-required.php =2.6.67 Sep 28, 2018
back-button-discussion.php =2.6.67 Sep 28, 2018
browser-info.php =2.6.67 Sep 28, 2018
cache-control.php
capture-data.php =2.6.67 Sep 28, 2018
captured-data.php =2.6.67 Sep 28, 2018
client-side-comments.php =2.6.67 Sep 28, 2018
client-side-control-challenge.php =2.6.67 Sep 28, 2018
conference-room-lookup.php =2.7.2 Jan 2, 2019
credits.php =2.6.67 Sep 28, 2018
database-offline.php =2.6.67 Sep 28, 2018
directory-browsing.php =2.6.67 Sep 28, 2018
dns-lookup.php =2.7.1 Jan 1, 2019
document-viewer.php =2.7.6 Jan 12, 2019
echo.php
edit-account-profile.php =2.7.3 Jan 3, 2019
framer.html
framing.php =2.6.70 Oct 22, 2018
hints-page-wrapper.php =2.6.67 Sep 28, 2018
home.php
html5-storage.php =2.6.67 Sep 28, 2018
index.php =2.7.2 Jan 2, 2019
login.php
page-not-found.php
password-generator.php =2.6.67 Sep 28, 2018
pen-test-tool-lookup-ajax.php =2.6.67 Sep 28, 2018
pen-test-tool-lookup.php
php-errors.php =2.6.67 Sep 28, 2018
phpinfo.php
phpmyadmin.php
privilege-escalation.php =2.6.67 Sep 28, 2018
redirectandlog.php =2.6.67 Sep 28, 2018
register.php =2.7.2 Jan 2, 2019
rene-magritte.php =2.6.67 Sep 28, 2018
repeater.php =2.6.67 Sep 28, 2018
robots-txt.php =2.6.67 Sep 28, 2018
robots.txt =2.6.67 Sep 28, 2018
secret-administrative-pages.php
set-background-color.php =2.6.67 Sep 28, 2018
set-up-database.php =2.7.9 Mar 3, 2019
show-log.php =2.7.6 Jan 12, 2019
site-footer-xss-discussion.php =2.6.67 Sep 28, 2018
source-viewer.php =2.6.67 Sep 28, 2018
sqlmap-targets.php =2.6.67 Sep 28, 2018
ssl-enforced.php =2.6.67 Sep 28, 2018
ssl-misconfiguration.php =2.6.67 Sep 28, 2018
styling-frame.php =2.6.67 Sep 28, 2018
styling.php =2.6.67 Sep 28, 2018
text-file-viewer.php =2.6.67 Sep 28, 2018
upload-file.php =2.6.67 Sep 28, 2018
user-agent-impersonation.php =2.6.67 Sep 28, 2018
user-info-xpath.php =2.7.6 Jan 12, 2019
user-info.php =2.7.2 Jan 2, 2019
user-poll.php =2.6.67 Sep 28, 2018
view-someones-blog.php
view-user-privilege-level.php =2.6.67 Sep 28, 2018
xml-validator.php =2.6.67 Sep 28, 2018

README.md

OWASP Mutillidae II

Project Announcements

Tutorials

Installation

Video tutorials are available for each step. If you have a LAMP stack set up aleady, you might skip directly to installing Mutillidae.

For detailed instructions, see the comprehensive guide

Usage

A large number of video tutorials are available on the webpwnized YouTube channel

Features

  • Has over 40 vulnerabilities and challenges. Contains at least one vulnerability for each of the OWASP Top Ten 2007, 2010, 2013 and 2017
  • Actually Vulnerable (User not asked to enter “magic” statement)
  • Mutillidae can be installed on Linux or Windows *AMP stacks making it easy for users who do not want to install or administrate their own webserver. Mutillidae is confirmed to work on XAMPP, WAMP, and LAMP.
  • Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA)
  • System can be restored to default with single-click of "Setup" button
  • User can switch between secure and insecure modes
  • Used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software
  • Updated frequently
You can’t perform that action at this time.