Application Testing

Testing for OWASP TOP 10 using Mutillidae

July 27, 2019

To test for OWASP TOP 10 we will be using Mutillidae

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiasts. Mutillidae can be installed on Linux and Windows. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets.

Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software.

Mutillidae

It implements vulnerabilities from the OWASP Top 10 2013, 2010 and 2007 in PHP.

For this Tutorial You need to Install Kali Linux

After Installing Kali Linux you need to Install Mutillidae

Create a file and copy the following Script to Install Mutillidae and Complete LAMP Setup

#!/bin/bash
  
sudo apt update
sudo apt install php-xml php-fpm libapache2-mod-php php-mysql php-xml php-gd php-imap php-mysql php-gettext php-curl -y
sudo a2enmod proxy_fcgi setenvif
sudo systemctl restart apache2
sudo a2enconf php7.3-fpm
sudo systemctl reload apache2
sudo systemctl restart apache2.service
sudo service php7.3-fpm restart
sudo systemctl restart mysql
   
cd /tmp
git clone https://github.com/webpwnized/mutillidae
if [ $? -ne '0' ]; then
    exit 1
fi
   
if [ -d "/var/www/html/mutillidae.backup" ]; then
    sudo rm -rf /var/www/html/mutillidae.backup
fi
   
if [ -d "/var/www/html/mutillidae" ]; then
    sudo mv /var/www/html/mutillidae /var/www/html/mutillidae.backup
fi
   
sudo mkdir /var/www/html/mutillidae
sudo mv mutillidae*/* /var/www/html/mutillidae/
    
sudo chown -R www-data:www-data /var/www/html/mutillidae/
    
sudo rm -rf mutillidae*
    
cd

After The Installation is complete we need to do some configurations for MySql and PHP. Run following Commands on the terminal

a2enmod php7.3
a2dismod php7.2
systemctl restart apache2
php-fpm7.3 restart
/etc/init.d/php7.3-fpm restart
mysql -u root

Now you will enter mysql Configurations

use mysql;
 update user set authentication_string=PASSWORD('mutillidae') where user='root';
 update user set plugin='mysql_native_password' where user='root';
 flush privileges;
 quit;

Now open a browser in Kali Linux

After the installation is completed, OWASP Mutillidae II is available at http://localhost/mutillidae/

The first time you will see:

After this Click

Click «setup/reset the DB» and wait for the database populating. Next in the popup just click on ‘ОК’:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *