Objective
Deploy Mutillidae, an intentionally vulnerable web application developed by OWASP, to practice detecting and exploiting web security flaws in a legal and controlled environment.
This platform allows studying OWASP TOP 10 vulnerabilities: SQL injection, XSS, CSRF, etc.
Prerequisites
- LAMP stack installed and functional (see procedure 01-LAMP)
- Debian 11 / Ubuntu server
- Git installed
- Root or sudo access
- Network connection (to clone GitHub repository)
- Isolated network (test VLAN or local network only)
CRITICAL SECURITY WARNING
Mutillidae is an INTENTIONALLY VULNERABLE application.
Mutillidae is an INTENTIONALLY VULNERABLE application.
- NEVER expose on Internet
- NEVER in production
- Only in isolated LAB environment
- Only for educational purposes (BTS SIO)
- Destroy environment after tests
Complete Procedure
Step 1: LAMP Stack Verification
Before starting, ensure Apache, PHP, and MariaDB are running:
systemctl status apache2 systemctl status mariadb php -v
Step 2: Git Installation
Git is required to clone the Mutillidae repository:
apt install git -y
Verify installation:
git --version
Step 3: Cloning Mutillidae
Navigate to the web directory and clone the official repository:
cd /var/www/html git clone https://github.com/webpwnized/mutillidae.git
Explanations:
/var/www/html: Apache's default root directory- Clone creates a
mutillidae/folder containing all application files - Official GitHub repository ensures getting the latest version
Step 4: Permissions Configuration
Assign permissions to Apache web server:
chown -R www-data:www-data /var/www/html/mutillidae chmod -R 755 /var/www/html/mutillidae
Explanations:
www-data: user and group used by Apache on Debianchown -R: change owner recursively755: owner = read/write/execute, others = read/execute
Step 5: Database Creation
Connect to MariaDB as root:
mysql -u root -p
Enter root MySQL/MariaDB password
Create dedicated database and user:
CREATE DATABASE mutillidae; CREATE USER 'mutillidae'@'localhost' IDENTIFIED BY 'P@ssw0rd_Mutillidae2024'; GRANT ALL PRIVILEGES ON mutillidae.* TO 'mutillidae'@'localhost'; FLUSH PRIVILEGES; EXIT;
SQL Command Details:
- CREATE DATABASE: creates database named "mutillidae"
- CREATE USER: creates specific MySQL user (best practice: never use root)
- GRANT ALL PRIVILEGES: gives all rights on mutillidae database to this user
- FLUSH PRIVILEGES: immediately applies rights changes
Note: The password used here is an example. In a real context (even for testing), use a strong password and document it in the procedure report.
Step 6: Mutillidae Configuration
Edit database configuration file:
nano /var/www/html/mutillidae/includes/database-config.inc
Verify/modify connection settings:
<?php $mMySQLDatabaseUsername = 'mutillidae'; $mMySQLDatabasePassword = 'P@ssw0rd_Mutillidae2024'; $mMySQLDatabaseDatabase = 'mutillidae'; $mMySQLDatabaseHost = 'localhost'; $mMySQLDatabasePort = 3306; ?>
Save and exit (Ctrl+O, Enter, Ctrl+X)
Step 7: Additional PHP Modules
Install PHP modules required by Mutillidae:
apt install php-xml php-mbstring php-curl -y
Restart Apache to load new modules:
systemctl restart apache2
Step 8: Database Initialization
Access Mutillidae via browser:
http://SERVER_IP_ADDRESS/mutillidae
Automatic configuration:
On first access, Mutillidae detects empty database and offers a "Setup/Reset Database" button.
Click this button to automatically initialize tables and test data.
On first access, Mutillidae detects empty database and offers a "Setup/Reset Database" button.
Click this button to automatically initialize tables and test data.
Alternative: Manual initialization via SQL script (if necessary):
cd /var/www/html/mutillidae/database mysql -u mutillidae -p mutillidae < mutillidae.sql
Verification
Application Access Test
http://SERVER_IP_ADDRESS/mutillidae
Mutillidae interface should display with navigation menu
Database Connection Verification
Click "Toggle Hints" at top right then "Toggle Database Online"
- Green icon = connection OK
- Red icon = database connection problem
Simple Vulnerability Test (XSS)
To verify the application is functional:
- Go to "OWASP 2017" → "A7 - Cross Site Scripting (XSS)" → "Reflected (First Order)"
- In search field, enter:
<script>alert('XSS')</script> - A JavaScript popup should appear (proof of XSS vulnerability)
Important: This test confirms the application is vulnerable as expected. This is normal behavior for Mutillidae.
Apache Logs Verification
tail -f /var/log/apache2/access.log tail -f /var/log/apache2/error.log
Ensure no critical errors appear during navigation
Security and Limitations
MANDATORY NETWORK ISOLATION
Firewall configuration to restrict access:
Firewall configuration to restrict access:
# Block all incoming access by default ufw default deny incoming # Allow only local network (example: 192.168.1.0/24) ufw allow from 192.168.1.0/24 to any port 80 # Allow SSH only from local network ufw allow from 192.168.1.0/24 to any port 22 # Enable firewall ufw enable
Isolation via VirtualBox/VMware
- Use "Host-Only" or "Internal Network" mode
- DO NOT use "Bridged" or "NAT" mode with port forwarding
- Create a dedicated VLAN for security testing
Technical Limitations
Limitations of this procedure (BTS SIO level):
- No SSL/TLS certificate (HTTPS) configured
- No WAF (Web Application Firewall)
- No intrusion detection system (IDS)
- No advanced network segmentation
- Minimal configuration for LAB environment only
Best Practices
- Documentation: note all tested and exploited vulnerabilities
- Destruction: delete environment after tests
- Legality: never test on unauthorized systems
- Learning: understand each vulnerability to better counter them
Mutillidae Removal After Tests
rm -rf /var/www/html/mutillidae mysql -u root -p DROP DATABASE mutillidae; DROP USER 'mutillidae'@'localhost'; EXIT;
Vulnerabilities Covered by Mutillidae
| OWASP Category | Vulnerability Type |
|---|---|
| A1 - Injection | SQL Injection, Command Injection, LDAP Injection |
| A2 - Broken Authentication | Session fixation, Credential management |
| A3 - Sensitive Data Exposure | Sensitive information in clear text |
| A4 - XML External Entities (XXE) | XML injection |
| A5 - Broken Access Control | Privilege escalation, IDOR |
| A6 - Security Misconfiguration | Configuration errors |
| A7 - Cross-Site Scripting (XSS) | Reflected XSS, stored XSS, DOM-based |
| A8 - Insecure Deserialization | Insecure deserialization |
| A9 - Using Components with Known Vulnerabilities | Obsolete libraries |
| A10 - Insufficient Logging & Monitoring | Insufficient logs |
Key Points for BTS Oral Exam
- Mutillidae: OWASP application for offensive cybersecurity training
- Educational utility: understand vulnerabilities to better fix them
- Never in production: isolated LAB environment only
- OWASP TOP 10: reference of 10 most critical web vulnerabilities
- Pentesting: penetration testing in legal and authorized framework
- Network isolation: firewall, VLAN, Host-Only network mandatory
- Similar alternative: DVWA (Damn Vulnerable Web Application)
Additional Resources
- Official OWASP site: https://owasp.org
- Mutillidae documentation: GitHub - webpwnized/mutillidae
- OWASP TOP 10: https://owasp.org/www-project-top-ten/
- Free training: OWASP WebGoat