In learning about how web application vulnerabilities work, the first step is to have an environment for exploring such vulnerabilities, such as SQL Injection and Cross-Site Scripting. If this is the first time you are hearing about these types of vulnerabilities, don't worry; we will dive deeper into them later in this book.
In this chapter, I will show you how to install a vulnerable web application called Mutillidae. I know that the name sounds awkward; in fact, a Mutillidae is a type of ant (just in case you want to know what that word means).
In this chapter, we will cover the following:
- Downloading Mutillidae
- Installing Mutillidae on a Windows machine
- Installing Mutillidae on a Linux Ubuntu host
- Getting familiar with Mutillidae
- Introducing the OWASP community
The best way to download Mutillidae is through https://sourceforge.net/. An older version of the web application also exists on the Metasploitable 2 virtual machine (VM). If you're wondering what Metasploitable is, it is another virtual machine, filled with vulnerabilities for security professionals to test.
It's always better to get the latest version from SourceForge, atÂ https://sourceforge.net/projects/mutillidae/:
To download it, all you need to do is click on the
Download button, and you'll be ready for installation in both Windows and Linux. The latest version (at the time of writing this book) is 2.6; by the time you're reading, there will probably be a newer version, with more exciting functionalities. It's good to know that the owner of this application is always working on enhancing its features.
First, we will download and install XAMPP, which stands for Apache, MySQL, PHP, and Perl (the X at the beginning indicates that this application is cross-platformâsome people call it WAMPP on Windows, replacing the X with W). So, as you may have guessed, after installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).
To download XAMPP, browse to https://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.10 in my case (see the following screenshot). Then, click on the
Download button to save it to your local Windows machine:
Before we start installing XAMPP, we will change the Windows
User Account Control settings. To do so, open the
Control Panel and click on
User Accounts. When the new dialog box opens, click on
Change User Account Control settings:
In the UAC window, you will need to drag the slider completelyÂ to the bottom and click on the
OK button to save the changes:
It's time to install XAMPP (or WAMPP). Double-click on the downloaded file to start the installation process, and in the first dialog window, click on the
Next button. In the next window, accept all of the default components, and click
In the next step, you need to choose a folder to install XAMPP in. Generally, I leave it as the default path,Â
C:\xamp, and then click on
After this, you will be prompted to choose whether you want to learn about Bitnami. I would leave the checkbox checked, and click on
After the installation has completed, you will be asked whether you want to start the
Control Panel; leave it checked, so that we can start the services needed to install Mutillidae.
I'm assuming that you have already downloaded Mutillidae, as instructed previously in this chapter. Extract the compressed archive file, copy the
mutillidae folder, and paste it into theÂ
In order to access the Mutillidae site from the intranet, we will need to adjust the configuration file,Â
.htaccess.Â Open the
Mutillidae folder that you just copied, and the
.htaccess file will be inside (use Notepad to open it):
Since my network IP address range is
10.0.0.0/24, I will add the line
Allow from 10. in the
Open your browser and go to
http://[your machine IP]/mutillidae. After the page loads, click on the
setup/reset the DB link, and Mutillidae will install. If everything is good, you will be told that no errors were detected when resetting the database.
Finally! The installation of Mutillidae is complete:
You probably hate Windows, so Linux is probably your favorite operating system, and you would prefer to install Mutillidae on Linux. In this section, I will use Ubuntu version 17.10 to install Mutillidae. If you have skipped the Windows installation section, let me tell you that you will need to install XAMPP on Linux before installing Mutillidae. Now, if you don't know what XAMPP is, don't worry; it refers toÂ Apache, MySQL, PHP, and Perl. The X at the beginning indicates that this application is cross-platform (it's also called LAMPP on Linux; the L stands for Linux). So, as you may have guessed, through installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).
To download XAMPP, browse tohttps://www.apachefriends.org/download.html, then choose the latest version from the list, which is 7.1.1, in my case (see the following screenshot). Then, click on the
Download button to save it locally to your machine:
Open the Terminal window and make sure that your current directory is where the file is located (in my case, it's the
Downloads folder). Next, you need to give the installer permission to execute, by using the following command:
Now that the installer has permission to execute, let's run it:
After executing the installer, you will be prompted with a couple of questions; hit the letter Y to say yes and continue further:
Enter a finalYbefore starting the installation of XAMPP:
Voila! XAMPP has been successfully installed on the Ubuntu machine:
Congratulations! You just finished installing XAMPP. Take note that LAMPP is installed on
/opt/lampp, which is where you're going to manage your web projects.
Next,Â copy the
mutillidae folder into theÂ
After copying the
mutillidae folder, change your directory to
/opt/lampp, and start the XAMPP servers:
Open the browser, type
http://[Ubuntu IP Address]/mutillidae, and replace the IP address with your own local IP address on the Ubuntu host where you installed XAMPP. Or, simply use the localhost, if you're using the browser on your Ubuntu server. To get your local IP address on Linux, type the command
ifconfig in your Terminal window:
Don't panic! When the page loads for the first time, it will ask you to set up the server. In order to do so, click on the
setup/reset the DB link, and Mutillidae will be installed on the XAMPP server:
Perfect! Mutillidae is installed, with no errors, according to the pop-up message. All you need to do at this point is click on the
OK button, and you will be redirected to the Mutillidae home page. Amazing, right?
Congratulations! You now have Mutillidae installed, on either Windows or Linux. You should be able to access it from any host on the intranet with the same subnet mask. I invite you to start getting familiar with the site by clicking around on the top and left menus.Â
First, let's register an account to use in our pen test, later in this book. On the top menu, click on the
Login/Register button, and you will be redirected to the login page:
You guessed it! On this page, click onÂ
Please register hereto go to the registration page. Let's register a user,
gus, and a super secret password,
Finally, click on the
Create Accountbutton to create the account:
This application is meant for web application professionals who want to practice web application type vulnerabilities. (For example, SQL Injection, Cross-Site Scripting, and so on. Don't worry; you will learn about them later in this book.) While practicing, Mutillidae offers you the option to display hints, in case you are blocked and you can't find the vulnerability that you are trying to solve.
First, on the top menu, click the
Toggle Hints button to enable/disable hints. Next, click onÂ
Show Popup Hints to enable the pop-up hints, and you will notice that the text changes to
Hide Popup Hints, in case you change your mind and want to disable it again:
Also, you can change the complexity levels for hacking this application. By default, the security is set to 0 (completely vulnerable); click on the
Toggle Security button, and the level will change to 1 (client side active). Click one more time, and the level 5 will be active (server side). If you want to go back to level 0, click onÂ
Toggle Security while you're in level 5, and it should go back to 1. I'm going to leave it on level 1 for the rest of this book.
Things can go wrong, and the application can stop working. If this happens to Mutillidae, it means that your application is sick and needs some medication. No, I'm kidding! All you need to do is reset it. Resetting Mutillidae is simple; just click on theÂ
Reset DB button on the top menu bar, and your application will become brand new again.
TheÂ Open Web Application Security Project (OWASP) is a community dedicated to helping people and organizations with application security topics. If you'll be working as an AppSec expert, then OWASP should be your bible; they have plenty of help sections that will make your life much easier. Just follow their guidelines and tutorials athttp://www.owasp.org.
The OWASP community defined the Top 10 vulnerabilities related to web applications. As for Mutillidae, it dedicated a menu to these vulnerabilities. On the left menu, you will see the OWASP items organized by year (the latest is the OWASP Top 10 for 2017; see the following screenshot). OWASP always keeps this list updated with the latest web vulnerabilities:
I have dedicated a whole chapter to these vulnerabilities, later in this book. For the time being, try to get familiar with the menu items.
Congratulations, folks! You've just finished the first chapter, and I hope that you enjoyed it and learned something new. Let's look at what we went over in this chapter:
- What Mutillidae is
- How to download Mutillidae (and where to find it)
- Installing XAMPP on Windows
- Installing Mutillidae on Windows
- Installing XAMPP on Ubuntu Linux
- Installing Mutillidae on Ubuntu Linux
- Registering a new user in Mutillidae
- Showing hints in Mutillidae
- What OWASP is, and how it is related to Mutillidae
In the next chapter, you will learn how to install your penetration testing machine, Kali Linux.