Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10 (Ate up with suck!)

Help Irongeek.com pay for
bandwidth and research equipment:

Web Hosting By:

Sponsored by:

Affiliates:

Irongeek's Featured Links:

Web Hosting

Free Web Hosting hosting

EC-Council ECSA Training Videos

Self Luminous Exit Signs

Web Hosting:
Help Irongeek.com pay for bandwidth and research equipment:

Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10 (Ate up with suck!)

Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10

As I figure most people reading this know, I make infosec tutorial videos for my site Irongeek.com. I wanted to start covering more web application pen-testing tools and concepts in some of these videos. Of course, I need a vulnerable web app or two to use for these demos. I dig WebGoat, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application. Also, WebGoat may be a little too complex to use when introducing a web programming newbie to web application security (it's easy to get lost in the code, especially J2EE). In an attempt to have something to use as a demo in my videos and in class, I started the Mutillidae project.

What I'm attempting to do with Mutillidae is implement the OWASP Top 10 in PHP, and do it in such a way that it is easy to demonstrate common attacks to others. Feel free to use it in your own classes or videos, but if you do I'd love to hear about it. Many web app hobbyists and professionals used PHP, and it's pretty easy to pick up the basics of the language. The Mutillidae webpage is a set of related simple PHP scripts meant to illustrate the core concepts of the OWASP Top 10 vulnerabilities list. For the sake if teaching core concepts, I plan to implement all of the OWASP Top 10 vulnerabilities, in multiple ways (but I could always use some help, especially in writing the hints sections).

Here are the core goals of the Mutillidae project:

1. Make the code and examples simple to understand so as to get the point across of how a given vulnerability works. With some of the stuff in Webgoat it is s a little hard to figure how to exploit the code, Mutillidae almost exploits itself. My app won't be very realistic, but it should illustrate the core concepts well.

2. Be geared in such a way that it's easy to update with new modules and hints.

3. Easy to install and run. Just download XAMPP Lite for Windows or Linux, put the scripts in the htdocs directory, and click the "Setup/reset the DB" link in the main menu .

4. When folks find bugs in my crappy code, I can legitimately say it's a feature. :)

Go to the OWASP Top 10 page to read about a vulnerability, then choose it from the list on the left to try it out. Feel free to play with the code and fix the vulnerabilities, it can be very educational. Most of the scripts are vulnerable to more than just one of the OWASP Top 10, so I organized them by their OWASP names in the menu system.

To install: Simply extract the files somewhere in the htdocs folder of XAMPP (for example htdocs/mutillidae), or run it from your Linux box after installing Apache/PHP/MySQL. Also, it should go with out saying that you should NOT run this code on a production network. Either run it on a private network, or restrict your web server software to only use the local loopback address. You can do that by finding the "Listen" line in the http.conf file and changing it to read: Listen 127.0.0.1:80

If you would like to learn about other deliberately vulnerable web applications, check out my article on the subject:

Deliberately Insecure Web Applications For Learning Web App Security

If you would like to help with the project, please contact me. Besides just the code, I could also use help in writing the hints sections. Your name and a link to your site will be added to the credits page.

Download Mutillidae 1.3
Download Mutillidae 1.2
Download Mutillidae 1.1
Download Mutillidae 1.0

Among the fun things that Mutillidae implements from the OWASP top 10 are:

A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws (SQL and Command)
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access

Video Series using Mutillidae :

Mutillidae 1: Setup
Mutillidae 2: The Top 5

Change log:

09/03/2009: I found out that my little teaching app stopped working with new versions of XAMPP. It seems I have to use <?php to start my PHP tags, using just <? no longer worked. I've updated Mutillidae to 1.3 and made it work again.
04/29/2009: Added link to first Mutillidae video.
03/18/2009: Added the activity log section so I could show off stored user agent XSS, added information on cookie stealing with XSS to the tips section, added catch.php to show how to grab data after an XSS and did a few other minor little tweaks. Also, I changed some of the text around to include the "Ate up with suck" slogan.
03/18/2009: Thanks to Seth Misenar and the Pauldotcom guys for giving me the new tagline for this project: "Ate up with suck".
03/02/2009: Changed the comment system into a blog, and straighten up some code.
03/01/2009: First posted to the public.

Printable version of this article

blog comments powered by Disqus

Ten most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.