Usage Instructions

  Back Help Me!

Mutillidae implements vulnerabilities from the OWASP Top 10 2013, 2010 and 2007 in PHP. Additionally vulnerabilities from the SANS Top 25 Programming Errors and select information disclosure vulnerabilities have been added on various pages. Top Menu Bar Home: Takes user to Home page Login/Register: Takes user to Login page Toggle Hints: Shows or hides the Hints on vulnerable pages Show Popup Hints: Shows the popup hints over vulnerable areas of pages Toggle Security: Changes the security level between insecure, client-side security and secure Enforce SSL: When enforced, Mutillidae automatically redirects all HTTP requests to HTTPS Reset DB: Drops and rebuilds all database tables and resets the project View Log: Takes the user to view the log View Captured Data: Takes the user to the view the captured data Left Menu Bar The menu on the left is organized by category then vulnerability. Some vulnerabilities will be in more than one category as there is overlap between categories. Each page in Mutillidae will expose multiple vulnerabilities. Some pages have half a dozen and/or multiple critical vulnerabilities on the same page. The page will appear in the menu under each vulnerability. A listing of vulnerabilities is available in menu under documentation or by clicking here. Videos The videos on the Webpwnized YouTube Channel are likely to be a some assistance. Videos cover installation, using tools like Burp-Suite and exploits for various vulnerabilities. Video Tutorials Page Hints Besides the menus, this will be the most important feature for newcomers. To enable hints, toggle the "Show Hints" button (top menu bar). A hints section will appear IF the page contains vulnerabilities. The Hints are "smart" showing only those hints that will help on the particular page. Security Modes Mutillidae currently has three modes: completely insecure, client-side security and secure. In insecure and client-side mode, the pages are vulnerable to at least the topic they fall under in the menu. Note that client-side security mode is just as vulnerable as insecure mode, but JavaScript validation or HTML controls make exploits somewhat more difficult. In secure mode, Mutillidae attempts to protect the pages with server side scripts. Also, hints are disabled. The mode can be changed using the "Toggle Security" button on the top menu bar. "Help Me" Button The "Help Me" button provides a basic description of the vulnerabilities on the page for which the user should try exploits. Use this button to get a quick list of issues. Use the Hints to see more details. Bubble Hints If the "Bubble Hints" are enabled (top menu bar), some of the vulnerable locations will have bubble hints pop up when the user hovers the mouse over the vulnerable field or area. Just give me the exploit Hints will typically provide some exploits. Known exploits that are used in testing Mutillidae are located in /documentation/mutillidae-test-scripts.txt. There is some documentation for each exploit which explains usage and location. Be Careful Mutillidae is a "live" system. The vulnerabilities are real rather than emulated. This eliminates the frustration of having to "know what the author wants". Because of this, there are likely undocumented vulnerabilities. Also, this project endangers any machine on which it runs. Best practice is to run Mutillidae in a virtual machine isolated from the network which is only booted when using Mutillidae. Every effort has been made to make Mutillidae ables run entirely off-line. Whitepaper A project whitepaper is available to explain the features of Mutillidae and suggested use-cases. Introduction to OWASP Mutillidae II Web Pen Test Training Environment