OWASP Mutillidae II is a deliberately vulnerable web application used for security training, awareness demonstrations, and to practice web application security testing. It's developed by OWASP (Open Web Application Security Project) as part of their mission to improve software security. Mutillidae II is designed to simulate real-world web application vulnerabilities and provide a safe environment for security professionals, developers, and enthusiasts to learn about common security issues and how to mitigate them.
OWASP Mutillidae II stands as a freely available and open-source web application intentionally imbued with vulnerabilities, making it an ideal training ground for web security. Offering a multitude of vulnerabilities and accompanied by helpful hints, this user-friendly platform serves as a convenient web hacking environment. Its design caters to various purposes, such as educational labs, security enthusiasts, classroom instruction, Capture The Flag (CTF) challenges, and acting as a target for vulnerability assessment tools.
Key Benefits of OWASP Mutillidae II
- Education and Training: Mutillidae II is an excellent tool for training individuals in web application security. It provides a hands-on learning experience for understanding various vulnerabilities, attack techniques, and mitigation strategies.
- Realistic Environment: The application is intentionally built with a range of common web application vulnerabilities, including SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and more. This allows users to practice identifying and exploiting these vulnerabilities in a controlled environment.
- Safe Practice: Since Mutillidae II is specifically designed to be vulnerable, users can experiment with different attack vectors and techniques without the risk of causing harm to real systems or data.
- Demonstration: Security professionals can use Mutillidae II to demonstrate how different vulnerabilities work, showcase potential consequences of attacks, and explain how to secure applications against these threats.
- Mitigation Techniques: By actively exploring and exploiting vulnerabilities within Mutillidae II, users can gain insights into effective mitigation techniques and best practices for securing web applications.
Key Features of OWASP Mutillidae II
- Vulnerability Variety: The application covers a wide range of vulnerabilities, such as SQL injection, XSS, command injection, file inclusion, authentication bypass, and more. This diverse set of vulnerabilities reflects the real challenges faced by web applications.
- Progressive Difficulty: Mutillidae II offers different levels of difficulty, from basic to advanced, catering to users with varying levels of expertise. This allows learners to gradually increase their skills and knowledge.
- Built-in Documentation: The application comes with extensive documentation that explains the vulnerabilities, their impact, and how to exploit and mitigate them. This helps users understand the security concepts behind each vulnerability.
- Source Code Availability: Mutillidae II provides access to its source code, enabling users to study its inner workings, customize the application, and even contribute to its development.
- Learning Paths: Mutillidae II can be used to follow specific learning paths or scenarios that guide users through the process of exploiting vulnerabilities step by step.
- Vulnerability Diversity: Mutillidae II boasts over 40 different vulnerabilities and challenges, covering a wide spectrum of security issues commonly found in web applications. These vulnerabilities span across the OWASP Top Ten for various years, including 2007, 2010, 2013, and 2017.
- Real Vulnerabilities: Unlike some training applications that require users to enter specific "magic" statements to exploit vulnerabilities, Mutillidae II features actual vulnerabilities that can be exploited without any artificial constraints. This makes the learning experience more authentic and aligned with real-world scenarios.
- Built-in Learning Resources: The project includes built-in hints, tutorials, and video tutorials to guide users through understanding and exploiting vulnerabilities effectively. This enhances the learning process by providing valuable insights and explanations.
- Multi-Platform Support: Mutillidae II can be installed on both Linux and Windows systems using different web server environments, including LAMP (Linux, Apache, MySQL, PHP), WAMP (Windows, Apache, MySQL, PHP), and XAMPP (cross-platform, Apache, MySQL, PHP, Perl). It's also available as a Docker build and pre-built Docker containers, offering flexibility in deployment.
- Pre-Installed in Security Tools: Mutillidae II comes pre-installed on various security training platforms and distributions, such as Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA). This makes it readily accessible for security professionals and enthusiasts using these tools.
- Easy Reset: The system can be easily restored to its default state with a single click of the "Reset" button. This feature simplifies the process of practicing and experimenting with vulnerabilities multiple times.
- Secure and Insecure Modes: Users can switch between secure and insecure modes within the application. This feature allows learners to compare the behavior of the application in a secure state versus an insecure state, helping them understand the impact of security measures.
- Wide Adoption: Mutillidae II is used in various training courses, universities, and serves as an "assess the assessor" target for vulnerability assessment software. Its extensive use highlights its reliability and effectiveness in teaching web application security.
- Frequent Updates: The project is updated frequently to address any bugs, enhance existing features, and include new vulnerabilities. This ensures that learners have access to up-to-date and relevant content.
These features contribute to making OWASP Mutillidae II a comprehensive and valuable resource for individuals looking to improve their understanding of web application security vulnerabilities and their mitigation
These features contribute to making OWASP Mutillidae II a comprehensive and valuable resource for individuals looking to improve their understanding of web application security vulnerabilities and their mitigation. It's important to note that while Mutillidae II is a valuable learning resource, it should only be used in controlled environments and for educational purposes. It's not meant to be deployed in production environments due to its intentionally vulnerable nature. Always follow ethical guidelines and obtain necessary permissions before conducting security testing on any system.
Installing OWASP Mutillidae II on Docker
- Clone Mutillidae Docker project github repository
$ git clone https://github.com/webpwnized/mutillidae-docker.git
There are five containers in this project:
¤ www: Apache, PHP, Mutillidae source code. The web site is exposed on ports 80,443, and 8080.
¤ database: The MySQL database. The database is not exposed externally, but feel free to modify the docker file to expose the database.
¤ database_admin: The PHPMyAdmin console. The console is exposed on port 81.
¤ ldap: The OpenLDAP directory. The directory is exposed on port 389 to allow import of the mutillidae.ldif file.
¤ ldap_admin: The PHPLDAPAdmin console. The console is exposed on port 82.
The Dockerfile files in each directory contain the instructions to build each container. The docker-compose.yml file contains the instructions to set up networking for the container, create volumes, and kick off the builds specified in the Dockerfile files. - Change directory into the local copy of the Mutillidae Docker project github repository.
$ cd mutillidae-docker - Run the following command to build docker images and bring the containers up.
$ docker compose -f .build/docker-compose.yml up --build - Confirm all containers are running.
- Once the containers are running, the following services are available on localhost.
» Port 80, 8080: Mutillidae HTTP web interface
» Port 81: MySQL Admin HTTP web interface
» Port 82: LDAP Admin web interface
Username: cn=admin,dc=mutillidae,dc=localhost
Password: mutillidae
» Port 443: HTTPS web interface
» Port 389: LDAP interface - Start the enjoyable hacking journey!
For more installation options and informational guides, visit the following sites:
https://owasp.org/www-project-mutillidae-ii
https://github.com/webpwnized/mutillidae-docker