In learning about how web application vulnerabilities work, the first step is to have an environment for exploring such vulnerabilities, such as SQL Injection and Cross-Site Scripting. If this is the first time you are hearing about these types of vulnerabilities, don't worry; we will dive deeper into them later in this book.
In this chapter, I will show you how to install a vulnerable web application called Mutillidae. I know that the name sounds awkward; in fact, a Mutillidae is a type of ant (just in case you want to know what that word means).
In this chapter, you will learn how to install the application in either Windows or Ubuntu Linux; I will leave the choice up to you.
In this chapter, we will cover the following:
- Downloading Mutillidae
- Installing Mutillidae on a Windows machine
- Installing Mutillidae on a Linux Ubuntu host
- Getting familiar with Mutillidae
- Introducing the OWASP community
The best way to download Mutillidae is through https://sourceforge.net/. An older version of the web application also exists on the Metasploitable 2 virtual machine (VM). If you're wondering what Metasploitable is, it is another virtual machine, filled with vulnerabilities for security professionals to test.
It's always better to get the latest version from SourceForge, at https://sourceforge.net/projects/mutillidae/:
To download it, all you need to do is click on the Download button, and you'll be ready for installation in both Windows and Linux. The latest version (at the time of writing this book) is 2.6; by the time you're reading, there will probably be a newer version, with more exciting functionalities. It's good to know that the owner of this application is always working on enhancing its features.
Mutillidae can easily be installed on Windows operating systems. In this example, I will install it on Windows 7 (this is just a personal choice).
First, we will download and install XAMPP, which stands for Apache, MySQL, PHP, and Perl (the X at the beginning indicates that this application is cross-platform—some people call it WAMPP on Windows, replacing the X with W). So, as you may have guessed, after installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).
To download XAMPP, browse to https://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.10 in my case (see the following screenshot). Then, click on the Download button to save it to your local Windows machine:
Before we start installing XAMPP, we will change the Windows User Account Control settings. To do so, open the Control Panel and click on User Accounts. When the new dialog box opens, click on Change User Account Control settings:
In the UAC window, you will need to drag the slider completely to the bottom and click on the OK button to save the changes:
It's time to install XAMPP (or WAMPP). Double-click on the downloaded file to start the installation process, and in the first dialog window, click on the Next button. In the next window, accept all of the default components, and click Next:
In the next step, you need to choose a folder to install XAMPP in. Generally, I leave it as the default path, C:\xamp, and then click on Next.
After this, you will be prompted to choose whether you want to learn about Bitnami. I would leave the checkbox checked, and click on Next.
At this stage, the setup is ready to begin installing XAMPP. Click on the last Next button, and finally, you will see the installation dialog.
After the installation has completed, you will be asked whether you want to start the Control Panel; leave it checked, so that we can start the services needed to install Mutillidae.
In the beginning, the services in the Control Panel have been stopped. We will need to start Apache and MySQL by clicking on their Start buttons:
I'm assuming that you have already downloaded Mutillidae, as instructed previously in this chapter. Extract the compressed archive file, copy the mutillidae folder, and paste it into the C:\xamp\htdocs folder.
In order to access the Mutillidae site from the intranet, we will need to adjust the configuration file, .htaccess. Open the Mutillidae folder that you just copied, and the .htaccess file will be inside (use Notepad to open it):
Since my network IP address range is 10.0.0.0/24, I will add the line Allow from 10. in the allow section:
Open your browser and go to http://[your machine IP]/mutillidae. After the page loads, click on the setup/reset the DB link, and Mutillidae will install. If everything is good, you will be told that no errors were detected when resetting the database.
Finally! The installation of Mutillidae is complete:
Check this out! We have a Mutillidae home page up and running, and it's screaming, Hack me, please:
You probably hate Windows, so Linux is probably your favorite operating system, and you would prefer to install Mutillidae on Linux. In this section, I will use Ubuntu version 17.10 to install Mutillidae. If you have skipped the Windows installation section, let me tell you that you will need to install XAMPP on Linux before installing Mutillidae. Now, if you don't know what XAMPP is, don't worry; it refers to Apache, MySQL, PHP, and Perl. The X at the beginning indicates that this application is cross-platform (it's also called LAMPP on Linux; the L stands for Linux). So, as you may have guessed, through installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).
To download XAMPP, browse to https://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.1, in my case (see the following screenshot). Then, click on the Download button to save it locally to your machine:
Open the Terminal window and make sure that your current directory is where the file is located (in my case, it's the Downloads folder). Next, you need to give the installer permission to execute, by using the following command:
Now that the installer has permission to execute, let's run it:
After executing the installer, you will be prompted with a couple of questions; hit the letter Y to say yes and continue further:
Enter a final Y before starting the installation of XAMPP:
Voila! XAMPP has been successfully installed on the Ubuntu machine:
Congratulations! You just finished installing XAMPP. Take note that LAMPP is installed on /opt/lampp, which is where you're going to manage your web projects.
I'm assuming that you have already downloaded Mutillidae, as described previously. First, you will need to extract the compressed archive file. Right-click and select Extract Here from the menu.
Next, copy the mutillidae folder into the /opt/lampp/htdocs folder:
After copying the mutillidae folder, change your directory to /opt/lampp, and start the XAMPP servers:
Open the browser, type http://[Ubuntu IP Address]/mutillidae, and replace the IP address with your own local IP address on the Ubuntu host where you installed XAMPP. Or, simply use the localhost, if you're using the browser on your Ubuntu server. To get your local IP address on Linux, type the command ifconfig in your Terminal window:
Don't panic! When the page loads for the first time, it will ask you to set up the server. In order to do so, click on the setup/reset the DB link, and Mutillidae will be installed on the XAMPP server:
Perfect! Mutillidae is installed, with no errors, according to the pop-up message. All you need to do at this point is click on the OK button, and you will be redirected to the Mutillidae home page. Amazing, right?
Congratulations! You now have Mutillidae installed, on either Windows or Linux. You should be able to access it from any host on the intranet with the same subnet mask. I invite you to start getting familiar with the site by clicking around on the top and left menus.
Let me give you a quick overview of how to start using Mutillidae.
First, let's register an account to use in our pen test, later in this book. On the top menu, click on the Login/Register button, and you will be redirected to the login page:
You guessed it! On this page, click on Please register here to go to the registration page. Let's register a user, gus, and a super secret password, password123:
Finally, click on the Create Account button to create the account:
This application is meant for web application professionals who want to practice web application type vulnerabilities. (For example, SQL Injection, Cross-Site Scripting, and so on. Don't worry; you will learn about them later in this book.) While practicing, Mutillidae offers you the option to display hints, in case you are blocked and you can't find the vulnerability that you are trying to solve.
First, on the top menu, click the Toggle Hints button to enable/disable hints. Next, click on Show Popup Hints to enable the pop-up hints, and you will notice that the text changes to Hide Popup Hints, in case you change your mind and want to disable it again:
Also, you can change the complexity levels for hacking this application. By default, the security is set to 0 (completely vulnerable); click on the Toggle Security button, and the level will change to 1 (client side active). Click one more time, and the level 5 will be active (server side). If you want to go back to level 0, click on Toggle Security while you're in level 5, and it should go back to 1. I'm going to leave it on level 1 for the rest of this book.
Things can go wrong, and the application can stop working. If this happens to Mutillidae, it means that your application is sick and needs some medication. No, I'm kidding! All you need to do is reset it. Resetting Mutillidae is simple; just click on the Reset DB button on the top menu bar, and your application will become brand new again.
The Open Web Application Security Project (OWASP) is a community dedicated to helping people and organizations with application security topics. If you'll be working as an AppSec expert, then OWASP should be your bible; they have plenty of help sections that will make your life much easier. Just follow their guidelines and tutorials at http://www.owasp.org.
The OWASP community defined the Top 10 vulnerabilities related to web applications. As for Mutillidae, it dedicated a menu to these vulnerabilities. On the left menu, you will see the OWASP items organized by year (the latest is the OWASP Top 10 for 2017; see the following screenshot). OWASP always keeps this list updated with the latest web vulnerabilities:
I have dedicated a whole chapter to these vulnerabilities, later in this book. For the time being, try to get familiar with the menu items.
Congratulations, folks! You've just finished the first chapter, and I hope that you enjoyed it and learned something new. Let's look at what we went over in this chapter:
- What Mutillidae is
- How to download Mutillidae (and where to find it)
- Installing XAMPP on Windows
- Installing Mutillidae on Windows
- Installing XAMPP on Ubuntu Linux
- Installing Mutillidae on Ubuntu Linux
- Registering a new user in Mutillidae
- Showing hints in Mutillidae
- What OWASP is, and how it is related to Mutillidae
In the next chapter, you will learn how to install your penetration testing machine, Kali Linux.