Change log:

04/22/2011: Jeremy Druin

Change Log for Mutillidae 2.0.6:

• Added a new security vulnerability and counteracting secure code. Cookies are unprotected in insecure mode, but in secure mode, the cookies will have the HTTPOnly attribute applied to them. In reality this vulnerability was always in Mutillidae since ignoring the issue opens the vulnerability (the ability for scripts to access the cookie values). The change is acknowleging this issue and adding the defense. Once we get an SSL certificate installed, the next logical step will be to add the "Secure" attribute to cookies in secure mode, but to not add this attribute in insecure mode.
• Added the X-FRAME-OPTIONS: DENY click-jacking defense in secure mode. In insecure mode, the site does nothing and ignores the issue entirely. This defense only works in newer browsers and javascript framebusters are needed to help older browsers.
• Added insecure comments vulnerability and defense. Some developers use HTML or JavaScript comments instead of using the frameworks comments (ASP.NET, Java, PHP, Etc.)
• Rearranged instructions on home page to emphasize the PHP.ini configuration changes that are needed to get rid of errors.
• Rewrote opendb.inc to have error trapping and custom error handling. If there is an error, there will be some diagnistic information available.

Change log:

04/14/2011: Jeremy Druin

Change Log for Mutillidae 2.0.5:

• browser-info.php - Patched a bug which disabled entire page if the whois server is not reachable. Now only that one line will be disabled. Also replaced Windows style file path slashes with Unix style. Either slash will work in Windows but Linux only accepts the Unix style path else throws an error.

Change log:

04/13/2011: Jeremy Druin

Change Log for Mutillidae 2.0.4:

• user-info.php - Added XSS defenses to the output so that users cannot poison their username, password or signature to cause XSS. This only works in secure code.
• register.php - Added XSS defenses to the output so that users cannot poison their username to cause XSS. This only works in secure code.
• header.php - Added link to this changelog. Changed style of upper header to allow more space for logged in user text. In very small screens, the text was overlapping. Also, the size of the mascot image was reduced to give the user more screen space.
• change-log.php - Added new XSS vulnerability for users to try.

Change log:

03/30/2011: Jeremy Druin

Change Log for Mutillidae 2.0.3:

• index.php - Added PHP version detection and altered forms caching defenses and server header information defenses to use header_remove() only if the version of PHP is at 5.3 or above. Made version string variable that contains whatever version string is for Mutillidae plus "nice" output. Samurai is going through a PHP version change to 5.3 right now and XAMPP just went through the same change. This code is meant to bridge users caught between versions.
• header.php - Made version output simpler. header.php only outputs the header string.
• footer.php - Added PHP version to footer output in insecure mode. In secure mode, server version is not shown.

Change log:

03/25/2011: Jeremy Druin

Change Log for Mutillidae 2.0.2 Beta:

Whole site

• Made local relative links without leading dot
• Installed on Samurai 0.95 for testing. Found that Samurai doesnt like the leading dot in local file paths. Those were removed from the index.php page.
• Made version a variable in index.php to make updating version string easier
• Added new forms caching information leakage vulnerability
• Added new vulnerability for X-Powered-By and discussed removing the Server HTTP header in comments

Change log:

03/23/2011: Jeremy Druin

Change Log for Mutillidae 2.0.1 Beta:

Whole site

• Replaced root relative links with local relative links to allow more freedom in root folder name
• Added email address for Jeremy
• Added change log to site
• Added Toggle Hints into core menu but link disappears in secure mode
• Added new failure to restrict URL access vuln

Change log:

03/23/2011: Jeremy Druin

Change Log for Mutillidae 2.0 Beta:

Whole site

• Site implements the OWASP ESAPI API for PHP including showing how to instantiate classes and call methods for output encoding.
• Site now allows user to switch between secure and insecure mode to allow the user to employ an attack then try the same attack against more secure code
• All code for both modes of operation are available for inspection and include large amounts of explanation comments for both the insecure and secure sections. Code is commented in such a way to help developers understand the security concepts as opposed to only seeing the PHP implementation
• Added custom error handling to site which reacts differently depending on security mode
• Site has larger hint sections with more hints included
• Added menuing system for easier navigation
• Added toolbar at top of each page for critical functions (hints, security mode, home page, etc.)
• Converted styles to CSS
• Collected images into single folder
• Added links to helpful tools and sites with more information: OWASP, Toad for PHP, Eclipse PDT, Samurai WTF, and Backtrack 4 R2
• Released new web interface design and navigation for each page
• Installed TRY/CATCH handling in all pages

add-to-your-blog.php

• additional reflected XSS vuln added
• SQLi vector added
• additional stored XSS vuln added
• demonstrates output encoding
• demonstrates SQLi prevention
• non-input box attack vector added

browser-info.php

• demonstrates safer JavaScript
• created ClientInformationHandler class to gather client information
• demonstrates output encoding
• added JavaScript attack vector using innerHTML

credits.php

• added Insecure Direct Object Reference defenses

dns-lookup.php

• In secure mode, added strong server-side validation for page. Page allows both ip based and DNS name based attacks and includes defenses for both.

footer.php

• added new attack vector to allow refelected XSS via HTTP headers
• added defenses for input coming from HTTP headers
• added comments encouraging developers to treat ALL input as evil and not just the input boxes they created

header.php

• Replaced menu with mouseover navagation and updated menu with new attacks
• Added new stored cross site scripting attacks and defenses
• Added code to allow site to ignore user created cookies in secure mode and react to user created cookies in insecure mode

home.html

• Added instructions
• Added warning about PHP.ini files that come with new XAMPP/PHP versions 5.3 and 6.0 (future)

homenotes.php

• Created newly formatted hints section

index.php

• Created new processing framework
• Added the ability to use session storage
• Installed initialization code

login.php

• added HTML maxlength to allow practice of circumventing trivial and useless HTML based defenses
• Added detection of whether user is currently logged in with new funcitonality. Site will auto-detect when users are logged in and change links appropriately
• Added new reflected XSS vector

process-commands.php

• new file which collects all "do" commands together
• installed several new attack vectors and defenses based on the "do" commands

redirectandlog.php

• Created new HTTP parameter pollution attack
• Installed advanced mapping defences with validation
• Installed strong validation defenses

register.php

• installed SQLi and XSS defenses
• reformatted page with new design and error feedback

show-log.php

• installed DOS defenses
• added DOS attack vector
• installed tabular output
• added defenses for injection attacks and XSS
• added attack vector against log

source-viewer.php/text-viewer.php

• Added/augmented attack vectors
• Added new attack vectors to allow loading of local server files
• Filename injection (Insecure Direct Object Reference)
• SQL Injection, (Fix: Use Schematized Stored Procedures)
• Cross Site Scripting, (Fix: Encode all output)
• Cross Site Request Forgery, (Fix: Tokenize transactions)
• Insecure Direct Object Reference, (Fix: Tokenize Object References)
• Denial of Service, (Fix: Truncate Log Queries)
• Loading of Local Files, (Fix: Tokenize Object Reference - Filename references in this case)
• Improper Error Handling, (Fix: Employ custom error handler)
• SQL Exception, (Fix: Employ custom error handler)
• HTTP Parameter Pollution (Fix: Scope request variables)
• Added mapping defenses

user-info.php

• added SQL and XSS defenses
• added tabular output

view-someones-blog.php

• installed SQLi and XSS defenses
• installed trivial and useless "tokens" to allow user to bypass HTML code which intends to confuse instead of defend.