Difference between revisions of "OWASP Mutillidae (2021)"

Summary

OWASP Mutillidae is a free open source tool created for Pentesting of Web Applications. It is a "Vulnerable Web Application" that offers a Platform where the provided Exploits and Security flaws can be executed within a local environment. With over 40 different vulnerabilities and related training challenges, it provides a platform that shows the most common flaws of the last 15 years of web development. The vulnerabilities shown in the program are actual vulnerabilities within the application, so the application should only be run in a protected environment - such as a virtual machine. The current Version Mutillidae II was created by Jeremy Druin [1] (pseudonym: webpwnized), who also created the Tutorials for the Challanges and Installation Guides.

How it Operates

Every Vulnerability contained in the application is build in within a Webpage. By selecting the Exploit from a List (e.g. Authentication Bypass) a site with the corresponding explotable Webpage is loaded and ready to get "hacked". Since everything run at your local machine you can not harm anyone. The data such as "User Data" are stored in a Database which you set up when you install the Application (see Installation for more Information).

Features

• over 40 vulnerabilities (OWASP Top Ten 2007, 2010, 2013 and 2017[2])
• Actually Vulnerable
• Simple Intallation and Maintaining
• User can switch between 3 security levels (no security, Client-side Security, Server-side Security)
• Used in web security courses
• Tutorials and Guides included in Application
• Updated frequently

Interface

By clicking on any Item on the right dropdown menu, you can select any of the OWASP Top Ten Challanges from the last 15 years.

• Hints and Videos - leads you directly to a structured guide how the exercise could be completed.
• Toggle Security - you can choose between 3 Security levels for each exercise
• Reset DB - Clear all user Data
• Labs - Study Questions associated with the Exercises

Requirements

• Apache Webserver
• Database (MySQL/MariaDb)
• Packages: Sourcecode from git (https://github.com/webpwnized/mutillidae)

Installation

• Install Apache Webserver on your local Machine
• Install PHP on your local Machine
• Install a supported Database (e.g. MySQL, MariaDB)

If you have a XAMPP/LAMPP stack set up aleady, you might skip directly to installing Mutillidae. There are Videos from the creator which gives a Step-by-Step video tutorial

Installing Mutillidae

Head to the Folder where Websites are stored in Apache Webserver this could be the "htdocs" folder under XAMPP or if manually installed under a linux distribution this might be the folder "/var/www/html/"

Download the Repository from github Requirements and copy the contents of the Repository into the Webservers folder. After these steps go on your localhost webpage and make sure you can access Mutillidae Webinterface

To see if the database is correctly installed press the "Reset DB" Button on the Webinterface. If you see the Message that no PHP or SQL errors were detected when resseting the database, the intallation of mutillidae succeded.

References

• https://owasp.org/www-project-top-ten/
• https://github.com/webpwnized/mutillidae
• https://www.youtube.com/c/webpwnized/featured