Change log:

03/23/2011: Jeremy Druin

Change Log for Mutillidae 2.0.1 Beta:

Whole site

• Replaced root relative links with local relative links to allow more freedom in root folder name
• Added email address for Jeremy
• Added change log to site
• Added Toggle Hints into core menu but link disappears in secure mode
• Added new failure to restrict URL access vuln

Change log:

03/23/2011: Jeremy Druin

Change Log for Mutillidae 2.0 Beta:

Whole site

• Site implements the OWASP ESAPI API for PHP including showing how to instantiate classes and call methods for output encoding.
• Site now allows user to switch between secure and insecure mode to allow the user to employ an attack then try the same attack against more secure code
• All code for both modes of operation are available for inspection and include large amounts of explanation comments for both the insecure and secure sections. Code is commented in such a way to help developers understand the security concepts as opposed to only seeing the PHP implementation
• Added custom error handling to site which reacts differently depending on security mode
• Site has larger hint sections with more hints included
• Added menuing system for easier navigation
• Added toolbar at top of each page for critical functions (hints, security mode, home page, etc.)
• Converted styles to CSS
• Collected images into single folder
• Added links to helpful tools and sites with more information: OWASP, Toad for PHP, Eclipse PDT, Samurai WTF, and Backtrack 4 R2
• Released new web interface design and navigation for each page
• Installed TRY/CATCH handling in all pages

add-to-your-blog.php

• additional reflected XSS vuln added
• SQLi vector added
• additional stored XSS vuln added
• demonstrates output encoding
• demonstrates SQLi prevention
• non-input box attack vector added

browser-info.php

• demonstrates safer JavaScript
• created ClientInformationHandler class to gather client information
• demonstrates output encoding
• added JavaScript attack vector using innerHTML

credits.php

• added Insecure Direct Object Reference defenses

dns-lookup.php

• In secure mode, added strong server-side validation for page. Page allows both ip based and DNS name based attacks and includes defenses for both.

footer.php

• added new attack vector to allow refelected XSS via HTTP headers
• added defenses for input coming from HTTP headers
• added comments encouraging developers to treat ALL input as evil and not just the input boxes they created

header.php

• Replaced menu with mouseover navagation and updated menu with new attacks
• Added new stored cross site scripting attacks and defenses
• Added code to allow site to ignore user created cookies in secure mode and react to user created cookies in insecure mode

home.html

• Added instructions
• Added warning about PHP.ini files that come with new XAMPP/PHP versions 5.3 and 6.0 (future)

homenotes.php

• Created newly formatted hints section

index.php

• Created new processing framework
• Added the ability to use session storage
• Installed initialization code

login.php

• added HTML maxlength to allow practice of circumventing trivial and useless HTML based defenses
• Added detection of whether user is currently logged in with new funcitonality. Site will auto-detect when users are logged in and change links appropriately
• Added new reflected XSS vector

process-commands.php

• new file which collects all "do" commands together
• installed several new attack vectors and defenses based on the "do" commands

redirectandlog.php

• Created new HTTP parameter pollution attack
• Installed advanced mapping defences with validation
• Installed strong validation defenses

register.php

• installed SQLi and XSS defenses
• reformatted page with new design and error feedback

show-log.php

• installed DOS defenses
• added DOS attack vector
• installed tabular output
• added defenses for injection attacks and XSS
• added attack vector against log

source-viewer.php/text-viewer.php

• Added/augmented attack vectors
• Added new attack vectors to allow loading of local server files
• Filename injection (Insecure Direct Object Reference)
• SQL Injection, (Fix: Use Schematized Stored Procedures)
• Cross Site Scripting, (Fix: Encode all output)
• Cross Site Request Forgery, (Fix: Tokenize transactions)
• Insecure Direct Object Reference, (Fix: Tokenize Object References)
• Denial of Service, (Fix: Truncate Log Queries)
• Loading of Local Files, (Fix: Tokenize Object Reference - Filename references in this case)
• Improper Error Handling, (Fix: Employ custom error handler)
• SQL Exception, (Fix: Employ custom error handler)
• HTTP Parameter Pollution (Fix: Scope request variables)
• Added mapping defenses

user-info.php

• added SQL and XSS defenses
• added tabular output

view-someones-blog.php

• installed SQLi and XSS defenses
• installed trivial and useless "tokens" to allow user to bypass HTML code which intends to confuse instead of defend.