OWASP Mutillidae II

OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security enthusiasts. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.

Project Announcements

Twitter: https://twitter.com/webpwnized

Tutorials

YouTube: https://www.youtube.com/user/webpwnized

Installation on LAMP Stack

Video tutorials are available for each step. If you have a LAMP stack set up aleady, you might skip directly to installing Mutillidae. For detailed instructions, see the comprehensive guide

Installation on Docker

The following video tutorials explain how to bring up Mutillidae on a set of 5 containers running Apache/PHP, MySQL, OpenLDAP, PHPMyAdmin, and PHPLDAPAdmin

YouTube: How to Install Docker on Ubuntu
YouTube: How to Run Mutillidae on Docker
YouTube: How to Run Mutillidae from DockerHub Images
YouTube: How to Run Mutillidae on Google Kubernetes Engine (GKE)

Usage

A large number of video tutorials are available on the webpwnized YouTube channel

Features

Has over 40 vulnerabilities and challenges. Contains at least one vulnerability for each of the OWASP Top Ten 2007, 2010, 2013 and 2017
Actually Vulnerable (User not asked to enter “magic” statement)
Mutillidae can be installed on Linux or Windows *AMP stacks making it easy for users who do not want to install or administrate their own webserver. Mutillidae is confirmed to work on XAMPP, WAMP, and LAMP.
Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA)
System can be restored to default with single-click of "Setup" button
User can switch between secure and insecure modes
Used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software
Updated frequently

Name		Name	Last commit message	Last commit date
Latest commit History 298 Commits
.github/workflows		.github/workflows
ajax		ajax
classes		classes
configuration		configuration
documentation		documentation
images		images
includes		includes
javascript		javascript
labs		labs
passwords		passwords
styles		styles
webservices		webservices
.htaccess		.htaccess
LICENSE		LICENSE
README-INSTALLATION.md		README-INSTALLATION.md
README.md		README.md
add-to-your-blog.php		add-to-your-blog.php
arbitrary-file-inclusion.php		arbitrary-file-inclusion.php
authorization-required.php		authorization-required.php
back-button-discussion.php		back-button-discussion.php
browser-info.php		browser-info.php
cache-control.php		cache-control.php
capture-data.php		capture-data.php
captured-data.php		captured-data.php
client-side-comments.php		client-side-comments.php
client-side-control-challenge.php		client-side-control-challenge.php
conference-room-lookup.php		conference-room-lookup.php
content-security-policy.php		content-security-policy.php
cors.php		cors.php
credits.php		credits.php
database-offline.php		database-offline.php
directory-browsing.php		directory-browsing.php
dns-lookup.php		dns-lookup.php
document-viewer.php		document-viewer.php
echo.php		echo.php
edit-account-profile.php		edit-account-profile.php
evil-tabby-cat.php		evil-tabby-cat.php
framer.html		framer.html
framing.php		framing.php
git.sh		git.sh
hints-page-wrapper.php		hints-page-wrapper.php
home.php		home.php
html5-storage.php		html5-storage.php
index.php		index.php
jwt.php		jwt.php
login.php		login.php
nice-tabby-cat.php		nice-tabby-cat.php
page-not-found.php		page-not-found.php
password-generator.php		password-generator.php
pen-test-tool-lookup-ajax.php		pen-test-tool-lookup-ajax.php
pen-test-tool-lookup.php		pen-test-tool-lookup.php
php-errors.php		php-errors.php
phpinfo.php		phpinfo.php
privilege-escalation.php		privilege-escalation.php
push-development-branch.sh		push-development-branch.sh
redirectandlog.php		redirectandlog.php
register.php		register.php
rene-magritte.php		rene-magritte.php
repeater.php		repeater.php
robots-txt.php		robots-txt.php
robots.txt		robots.txt
secret-administrative-pages.php		secret-administrative-pages.php
set-background-color.php		set-background-color.php
set-up-database.php		set-up-database.php
show-log.php		show-log.php
site-footer-xss-discussion.php		site-footer-xss-discussion.php
source-viewer.php		source-viewer.php
sqlmap-targets.php		sqlmap-targets.php
ssl-enforced.php		ssl-enforced.php
ssl-misconfiguration.php		ssl-misconfiguration.php
styling-frame.php		styling-frame.php
styling.php		styling.php
test-connectivity.php		test-connectivity.php
text-file-viewer.php		text-file-viewer.php
upload-file.php		upload-file.php
user-agent-impersonation.php		user-agent-impersonation.php
user-info-xpath.php		user-info-xpath.php
user-info.php		user-info.php
user-poll.php		user-poll.php
view-someones-blog.php		view-someones-blog.php
view-user-privilege-level.php		view-user-privilege-level.php
xml-validator.php		xml-validator.php

License

webpwnized/mutillidae

Folders and files

Latest commit

History