mutillidae
by webpwnized
OWASP Mutillidae II is a deliberately vulnerable web application designed to provide a practical, hands-on environment for learning and practicing web security techniques.
OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. This is an easy-to-use web hacking environment designed for labs, security enthusiasts, classrooms, CTF, and vulnerability assessment tool targets.
Primary Use Case
This tool is primarily used by security enthusiasts, educators, and penetration testers to practice identifying and exploiting web vulnerabilities in a safe, controlled environment. It is ideal for use in security training labs, classrooms, Capture The Flag (CTF) competitions, and as a target for vulnerability assessment tools.
- Contains over 40 vulnerabilities covering OWASP Top Ten from 2007 to 2017
- Deliberately vulnerable without requiring special inputs or 'magic' statements
- Easy installation on Linux and Windows AMP stacks including LAMP, WAMP, and XAMPP
- Preinstalled on popular security distributions like SamuraiWTF and OWASP BWA
- One-click system restoration to default settings via a 'Setup' button
- Ability to switch between secure and insecure modes
- Widely used in graduate courses, corporate training, and vulnerability assessment testing
- Regularly updated to maintain relevance and effectiveness
Installation
- Install a LAMP, WAMP, or XAMPP stack on your Linux or Windows system
- Clone or download the Mutillidae source code from the 'src' directory
- Follow the comprehensive installation guide in README-INSTALLATION.md
- Alternatively, run Mutillidae using Docker images from DockerHub
- For Docker installation, install Docker on your system (e.g., Ubuntu)
- Run Mutillidae container using provided Docker commands or tutorials
- Optionally deploy Mutillidae on Google Kubernetes Engine (GKE) using provided guides
- Use the 'Setup' button in the application to restore default vulnerable state
Usage
>_ Use the 'Setup' button within the web interfaceRestores the application to its default vulnerable state for repeated practice
>_ Switch between secure and insecure modes via the web interfaceAllows users to toggle the security posture of the application for testing
>_ Run Mutillidae Docker containerLaunches the application in a containerized environment for easy deployment
>_ Install Mutillidae on LAMP stackManual installation method for traditional Linux/Windows AMP environments
- Integrate Mutillidae II in purple team exercises to simulate real-world web attacks and improve detection capabilities.
- Use Mutillidae II as a continuous training platform for red teams to practice exploitation techniques safely.
- Leverage the tool for blue team training to recognize common web vulnerabilities and improve incident response.
- Automate vulnerability scanning tools against Mutillidae II to validate scanner effectiveness and tune detection rules.
- Deploy Mutillidae II in CI/CD pipelines as a sandbox environment for developers to identify and remediate web vulnerabilities early.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about mutillidae. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
caddy
caddyserver/caddy
Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
nginx
nginx/nginx
The official NGINX Open Source repository.
nginxconfig.io
digitalocean/nginxconfig.io
⚙️ NGINX config generator on steroids 💉
SafeLine
chaitin/SafeLine
SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits.
DOMPurify
cure53/DOMPurify
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
anubis
TecharoHQ/anubis
Weighs the soul of incoming HTTP requests to stop AI crawlers