Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10

         As I figure most people reading this know, I make infosec video tutorials for my site Irongeek.com. I wanted to start covering more web application pen-testing tools and concepts in some of these videos. Of course, I needed a vulnerable web app or two to use for these demos. I dig WebGoat, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application. Also, WebGoat may be a little too complex to use when introducing a web programming newbie to web application security (it's easy to get lost in the code, especially J2EE). In an attempt to have something to use as a demo in my videos and in class, I started the Mutillidae project.

        What I'm attempting to do with Mutillidae is implement the OWASP Top 10 in PHP, and do it in such a way that it is easy to demonstrate common attacks to others. Feel free to use it in your own classes or videos, but if you do I'd love to hear about it. Many web app hobbyists and professionals used PHP, and it's pretty easy to pick up the basics of the language. The Mutillidae webpage is a set of relatively simple PHP scripts meant to illustrate the core concepts of the OWASP Top 10 vulnerabilities list. For the sake of teaching core concepts, I plan to implement all of the OWASP Top 10 vulnerabilities in multiple ways (but I could always use some help, especially in writing the hints sections).

    Here are the core goals of the Mutillidae project:

1. Make the code and examples simple to understand so as to get the point across of how a given vulnerability works. With some of the stuff in Webgoat it is s a little hard to figure how to exploit the code, Mutillidae almost exploits itself. My vulnerable apps won't be the most realistic, but they should illustrate the core concepts well.

2. Be geared in such a way that it's easy to update with new modules and hints.

3. Easy to install and run. Just download XAMPP Lite for Windows or Linux, put the scripts in the htdocs directory, and click the "Setup/reset the DB" link in the main menu .

4. When folks find bugs in my crappy code, I can legitimately say it's a feature. :)

    Go to the OWASP Top 10  page to read about a vulnerability, then choose it from the list on the left to try it out. Feel free to play with the code and fix the vulnerabilities, it can be very educational. Most of the scripts are vulnerable to more than just one of the OWASP Top 10, so I organized them by their OWASP names in the menu system.

To install:

1. Simply extract the files somewhere in the htdocs folder of XAMPP (for example htdocs/mutillidae), or run it from your Linux box after installing Apache/PHP/MySQL.

2. By the default, Mutillidae trys to connect to MySQL on the localhost with the username "root" and a blank password. To change this, edit "config.inc" with the correct information for your environment.

3. It should go without saying that you should NOT  run this code on a production network. Either run it on a private network, or restrict your web server software to only use the local loopback address. By default Mutillidae only allows access from localhost (127.*.*.*), assuming the .htaccess file I've written is honored. Edit the .htaccess file to change this behavior (not recommended on a public network, but you may want to do it for a class). If for some reason .htaccess is not parsed you can restrict the IP by finding the "Listen" line in the http.conf file and changing it to read: Listen 127.0.0.1:80

If you would like to learn about other deliberately vulnerable web applications, check out my article on the subject:

Deliberately Insecure Web Applications For Learning Web App Security

If you would like to help with the project, please contact me. Besides just the code, I could also use help in writing the hints sections. Your name and a link to your site will be added to the credits page.

 

Among the fun things that Mutillidae implements from the OWASP top 10 are:

---

OWASP Top 10 2010

---

A1 - Injection (SQL and Command)
A2 - Cross Site Scripting (XSS)
A3 - Broken Authentication and Session Management
A4 - Insecure Direct Object References
A5 - Cross Site Request Forgery (CSRF)
A6 - Security Misconfiguration
A7 - Insecure Cryptographic Storage
A8 - Failure to Restrict URL Access
A9 - Insufficient Transport Layer Protection
A10 - Unvalidated Redirects and Forwards

---

Items from the 2007 OWASP Top 10 that do not correlate to the 2010 list

---

A3 - Malicious File Execution
A6 - Information Leakage and Improper Error Handling

Video Series using Mutillidae :

Mutillidae 1: Setup
Mutillidae 2: The Top 5

 

Change log:

06/16/2010: I changed it so that now, by default, Mutillidae only allows access from localhost (127.*.*.*), assuming the .htaccess file I've written is honored. Thanks for the suggestion Kevin. I've also made the install instructions somewhat better.
04/29/2010: Updated to version 1.4 to make Mutillidae compliant with the 2010 version of the OWASP Top 10. Also added some modules, and fixed a bug I must have introduced at some point that keeps the user from inserting a single quote into their blog.
09/03/2009: I found out that my little teaching app stopped working with new versions of XAMPP. It seems I have to use <?php to start my PHP tags, using just <? no longer worked. I've updated Mutillidae to 1.3 and made it work again.
04/29/2009: Added link to first  Mutillidae video.
03/18/2009: Added the activity log section so I could show off stored user agent XSS, added information on cookie stealing with XSS to the tips section, added catch.php to show how to grab data after an XSS and did a few other minor little tweaks. Also, I changed some of the text around to include the "Ate up with suck" slogan.
03/18/2009: Thanks to Seth Misenar and the Pauldotcom guys for giving me the new tagline for this project: "Ate up with suck".
03/02/2009: Changed the comment system into a blog, and straighten up some code.
03/01/2009: First posted to the public.