Mutillidae – Set Of PHP Vulnerable Scripts That Implement The OWASP Top 10

Mutillidae is a set of PHP Vulnerable Scripts, that implement the OWASP Top 10 for testing and teaching purposes.

It has been done in such a way that it is easy to demonstrate common attacks to others. Feel free to use it in your own classes or videos! Many web app hobbyists and professionals used PHP, and it’s pretty easy to pick up the basics of the language.

Features of the Mutillidae project.

1. Make the code and examples simple to understand so as to get the point across of how a given vulnerability works. With some of the stuff in Webgoat it is s a little hard to figure how to exploit the code, Mutillidae almost exploits itself. My app won’t be very realistic, but it should illustrate the core concepts well.

2. Be geared in such a way that it’s easy to update with new modules and hints.

3. Easy to install and run. Just download XAMPP Lite for Windows or Linux, put the scripts in the htdocs directory, and click the “Setup/reset the DB” link in the main menu .

4. When you find bugs in code, I can legitimately say it’s a feature.

OWASP Top 10 are -

Cross Site Scripting (XSS)
 Injection Flaws (SQL and Command)
 Malicious File Execution
 Insecure Direct Object Reference
 Cross Site Request Forgery (CSRF)
 Information Leakage and Improper Error HandlingA7 – Broken  Authentication and Session Management
 Insecure Cryptographic Storage
 Insecure Communications
 Failure to Restrict URL Access

Installation procedure:

Extract the files somewhere in the htdocs folder of XAMPP (for example htdocs/mutillidae), or run it from your Linux box after installing Apache/PHP/MySQL. Also, it should go with out saying that you should NOT run this code on a production network. Either run it on a private network, or restrict your web server software to only use the local loopback address. You can do that by finding the “Listen” line in the http.conf file and changing it to read: Listen 127.0.0.1:80

This tool also can be used jointly with DAMN web application for testing, auditing or conductiong POC’s.

Video Tutorial is here

Download Mutillidae here

Related External Links

• One AJAX XSS Solution « Head in the Web

• Pentest Labs: Web Application Edition « Security Aegis

• Web Application Security Audit | Find1234.com

• Ripple – the world’s first Bluetooth… earring? « It Web Security

Searches leading to this post:
xss mutillidae, can damn vulnerable web app use xampp lite, how to damn vulnerable app xammp, Mutillidae complete solution, pentesting nkiller2, php vulnerable code, php vulnerable scripts, volunerable scripts

Related Posts

• March 31, 2009 -- Sara – Security Auditor’s Research Assistant latest version
• February 4, 2010 -- UPDATE: CAT.NET 2.0 – Beta!
• January 15, 2010 -- List of Free Web Application Scanners!
• December 16, 2009 -- Microsoft Code Analysis Tool .NET – A Binary Code Analysis Tool!
• October 13, 2009 -- cum security toolkit – cgi vulnerability scanner and a port scanner
• July 7, 2009 -- xss javascript obfuscator – generate JavaScripts
• May 6, 2009 -- Gamja – Web scanner
• March 14, 2010 -- WebCastellum: An Open Source WAF!
• March 11, 2010 -- Plecost: A Wordpress Finger Printer!

Tagged as: application security, cross-site scripting, Mutillidae, Vulnerability Scanner, web security