[mutillidae] (https://sourceforge.net/projects/mutillidae/)

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.

Features

Has over 35 vulnerablities and challenges. Contains at least one vulnearbility for each of the OWASP Top Ten 2007 and 2010
Actually Vulnerable (User not asked to enter “magic” statement)
Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. Mutillidae is confirmed to work on XAMPP, WAMP, and LAMP. XAMPP is the "default" deployment.
Installs easily by dropping project files into the "htdocs" folder of XAMPP.
Will attempt to detect if the MySQL database is available for the user
Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA)
Contains 2 levels of hints to help users get started
Includes bubble-hints to help point out vulnerable locations
Bubble-hints automatically give more information as hint level incremented
System can be restored to default with single-click of "Setup" button
User can switch between secure and insecure modes
Secure and insecure source code for each page stored in the same PHP file for easy comparison
Provides data capture page and stores captured data in database and file
Allows SSL to be enforced in order to practice SSL stripping
Used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software
Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and other tools
Instructional Videos: http://www.youtube.com/user/webpwnized
Updates tweeted to @webpwnized
Updated frequently
Project Whitepaper: http://www.giac.org/paper/gwapt/3387/introduction-owasp-mutillidae-ii-web-pen-test-training-environment/126917

Name		Name	Last commit message	Last commit date
Latest commit History 156 Commits
.settings		.settings
ajax		ajax
classes		classes
data		data
documentation		documentation
images		images
includes		includes
javascript		javascript
owasp-esapi-php		owasp-esapi-php
passwords		passwords
phpmyadmin		phpmyadmin
styles		styles
test/testoutput		test/testoutput
webservices		webservices
.buildpath		.buildpath
.htaccess		.htaccess
.project		.project
LICENSE		LICENSE
README.md		README.md
add-to-your-blog.php		add-to-your-blog.php
arbitrary-file-inclusion.php		arbitrary-file-inclusion.php
authorization-required.php		authorization-required.php
back-button-discussion.php		back-button-discussion.php
browser-info.php		browser-info.php
cache-control.php		cache-control.php
capture-data.php		capture-data.php
captured-data.php		captured-data.php
client-side-comments.php		client-side-comments.php
client-side-control-challenge.php		client-side-control-challenge.php
credits.php		credits.php
database-offline.php		database-offline.php
directory-browsing.php		directory-browsing.php
dns-lookup.php		dns-lookup.php
document-viewer.php		document-viewer.php
framer.html		framer.html
framing.php		framing.php
hackers-for-charity.php		hackers-for-charity.php
hints-page-wrapper.php		hints-page-wrapper.php
home.php		home.php
html5-storage.php		html5-storage.php
index.php		index.php
installation.php		installation.php
level-1-hints-page-wrapper.php		level-1-hints-page-wrapper.php
login.php		login.php
page-not-found.php		page-not-found.php
password-generator.php		password-generator.php
pen-test-tool-lookup-ajax.php		pen-test-tool-lookup-ajax.php
pen-test-tool-lookup.php		pen-test-tool-lookup.php
php-errors.php		php-errors.php
phpinfo.php		phpinfo.php
phpmyadmin.php		phpmyadmin.php
privilege-escalation.php		privilege-escalation.php
process-commands.php		process-commands.php
redirectandlog.php		redirectandlog.php
register.php		register.php
rene-magritte.php		rene-magritte.php
repeater.php		repeater.php
robots-txt.php		robots-txt.php
robots.txt		robots.txt
secret-administrative-pages.php		secret-administrative-pages.php
set-background-color.php		set-background-color.php
set-up-database.php		set-up-database.php
show-log.php		show-log.php
site-footer-xss-discussion.php		site-footer-xss-discussion.php
source-viewer.php		source-viewer.php
sqlmap-targets.php		sqlmap-targets.php
ssl-enforced.php		ssl-enforced.php
ssl-misconfiguration.php		ssl-misconfiguration.php
styling-frame.php		styling-frame.php
styling.php		styling.php
text-file-viewer.php		text-file-viewer.php
upload-file.php		upload-file.php
usage-instructions.php		usage-instructions.php
user-agent-impersonation.php		user-agent-impersonation.php
user-info-xpath.php		user-info-xpath.php
user-info.php		user-info.php
user-poll.php		user-poll.php
view-someones-blog.php		view-someones-blog.php
view-user-privilege-level.php		view-user-privilege-level.php
web-workers.php		web-workers.php
xml-validator.php		xml-validator.php

License

so-sc/OWASP-mutillidae-2

Folders and files

Latest commit

History