Practical Web Penetration Testing

5 (2 reviews total)
By Gus Khawaja
  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Building a Vulnerable Web Application Lab

About this book

Companies all over the world want to hire professionals dedicated to application security. Practical Web Penetration Testing focuses on this very trend, teaching you how to conduct application security testing using real-life scenarios.

To start with, you’ll set up an environment to perform web application penetration testing. You will then explore different penetration testing concepts such as threat modeling, intrusion test, infrastructure security threat, and more, in combination with advanced concepts such as Python scripting for automation. Once you are done learning the basics, you will discover end-to-end implementation of tools such as Metasploit, Burp Suite, and Kali Linux. Many companies deliver projects into production by using either Agile or Waterfall methodology. This book shows you how to assist any company with their SDLC approach and helps you on your journey to becoming an application security specialist.

By the end of this book, you will have hands-on knowledge of using different tools for penetration testing.

Publication date:
June 2018


Chapter 1. Building a Vulnerable Web Application Lab

In learning about how web application vulnerabilities work, the first step is to have an environment for exploring such vulnerabilities, such as SQL Injection and Cross-Site Scripting. If this is the first time you are hearing about these types of vulnerabilities, don't worry; we will dive deeper into them later in this book.

In this chapter, I will show you how to install a vulnerable web application called Mutillidae. I know that the name sounds awkward; in fact, a Mutillidae is a type of ant (just in case you want to know what that word means).

In this chapter, you will learn how to install the application in either Windows or Ubuntu Linux; I will leave the choice up to you.

In this chapter, we will cover the following:

  • Downloading Mutillidae
  • Installing Mutillidae on a Windows machine
  • Installing Mutillidae on a Linux Ubuntu host
  • Getting familiar with Mutillidae
  • Introducing the OWASP community

Downloading Mutillidae

The best way to download Mutillidae is through An older version of the web application also exists on the Metasploitable 2 virtual machine (VM). If you're wondering what Metasploitable is, it is another virtual machine, filled with vulnerabilities for security professionals to test.

It's always better to get the latest version from SourceForge, at

To download it, all you need to do is click on the Download button, and you'll be ready for installation in both Windows and Linux. The latest version (at the time of writing this book) is 2.6; by the time you're reading, there will probably be a newer version, with more exciting functionalities. It's good to know that the owner of this application is always working on enhancing its features.


Installing Mutillidae on Windows

Mutillidae can easily be installed on Windows operating systems. In this example, I will install it on Windows 7 (this is just a personal choice). 

First, we will download and install XAMPP, which stands for Apache, MySQL, PHP, and Perl (the X at the beginning indicates that this application is cross-platform—some people call it WAMPP on Windows, replacing the X with W). So, as you may have guessed, after installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).

Downloading and installing XAMPP

To download XAMPP, browse to, then choose the latest version from the list, which is 7.1.10 in my case (see the following screenshot). Then, click on the Download button to save it to your local Windows machine:

Before we start installing XAMPP, we will change the Windows User Account Control settings. To do so, open the Control Panel and click on User Accounts. When the new dialog box opens, click on Change User Account Control settings:

In the UAC window, you will need to drag the slider completely to the bottom and click on the OK button to save the changes:

It's time to install XAMPP (or WAMPP). Double-click on the downloaded file to start the installation process, and in the first dialog window, click on the Next button. In the next window, accept all of the default components, and click Next:

In the next step, you need to choose a folder to install XAMPP in. Generally, I leave it as the default path, C:\xamp, and then click on Next.

After this, you will be prompted to choose whether you want to learn about Bitnami. I would leave the checkbox checked, and click on Next.

At this stage, the setup is ready to begin installing XAMPP. Click on the last Next button, and finally, you will see the installation dialog.

After the installation has completed, you will be asked whether you want to start the Control Panel; leave it checked, so that we can start the services needed to install Mutillidae.

In the beginning, the services in the Control Panel have been stopped. We will need to start Apache and MySQL by clicking on their Start buttons:

Mutillidae installation

I'm assuming that you have already downloaded Mutillidae, as instructed previously in this chapter. Extract the compressed archive file, copy the mutillidae folder, and paste it into the C:\xamp\htdocs folder.

In order to access the Mutillidae site from the intranet, we will need to adjust the configuration file, .htaccess. Open the Mutillidae folder that you just copied, and the .htaccess file will be inside (use Notepad to open it):

Since my network IP address range is, I will add the line Allow from 10. in the allow section:

Open your browser and go to http://[your machine IP]/mutillidae. After the page loads, click on the setup/reset the DB link, and Mutillidae will install. If everything is good, you will be told that no errors were detected when resetting the database.

Finally! The installation of Mutillidae is complete:

Check this out! We have a Mutillidae home page up and running, and it's screaming, Hack me, please:


Installing Mutillidae on Linux

You probably hate Windows, so Linux is probably your favorite operating system, and you would prefer to install Mutillidae on Linux. In this section, I will use Ubuntu version 17.10 to install Mutillidae. If you have skipped the Windows installation section, let me tell you that you will need to install XAMPP on Linux before installing Mutillidae. Now, if you don't know what XAMPP is, don't worry; it refers to Apache, MySQL, PHP, and Perl. The X at the beginning indicates that this application is cross-platform (it's also called LAMPP on Linux; the L stands for Linux). So, as you may have guessed, through installing XAMPP, you will have Apache (web server), MySQL (database), and PHP (programming language).

Downloading and installing XAMPP

To download XAMPP, browse to, then choose the latest version from the list, which is 7.1.1, in my case (see the following screenshot). Then, click on the Download button to save it locally to your machine:

Open the Terminal window and make sure that your current directory is where the file is located (in my case, it's the Downloads folder). Next, you need to give the installer permission to execute, by using the following command:

Now that the installer has permission to execute, let's run it:

After executing the installer, you will be prompted with a couple of questions; hit the letter Y to say yes and continue further:

Enter a finalYbefore starting the installation of XAMPP:

Voila! XAMPP has been successfully installed on the Ubuntu machine:

Congratulations! You just finished installing XAMPP. Take note that LAMPP is installed on /opt/lampp, which is where you're going to manage your web projects.

Mutillidae installation

I'm assuming that you have already downloaded Mutillidae, as described previously. First, you will need to extract the compressed archive file. Right-click and selectExtract Here from the menu.

Next, copy the mutillidae folder into the /opt/lampp/htdocs folder:

After copying the mutillidae folder, change your directory to /opt/lampp, and start the XAMPP servers:

Open the browser, type http://[Ubuntu IP Address]/mutillidae, and replace the IP address with your own local IP address on the Ubuntu host where you installed XAMPP. Or, simply use the localhost, if you're using the browser on your Ubuntu server. To get your local IP address on Linux, type the command ifconfig in your Terminal window:

Don't panic! When the page loads for the first time, it will ask you to set up the server. In order to do so, click on the setup/reset the DB link, and Mutillidae will be installed on the XAMPP server:

Perfect! Mutillidae is installed, with no errors, according to the pop-up message. All you need to do at this point is click on the OK button, and you will be redirected to the Mutillidae home page. Amazing, right?


Using Mutillidae

Congratulations! You now have Mutillidae installed, on either Windows or Linux. You should be able to access it from any host on the intranet with the same subnet mask. I invite you to start getting familiar with the site by clicking around on the top and left menus. 

User registration

Let me give you a quick overview of how to start using Mutillidae.

First, let's register an account to use in our pen test, later in this book. On the top menu, click on the Login/Register button, and you will be redirected to the login page:

You guessed it! On this page, click on Please register hereto go to the registration page. Let's register a user,gus, and a super secret password,password123:

Finally, click on theCreate Accountbutton to create the account:

Showing hints and setting security levels

This application is meant for web application professionals who want to practice web application type vulnerabilities. (For example, SQL Injection, Cross-Site Scripting, and so on. Don't worry; you will learn about them later in this book.) While practicing, Mutillidae offers you the option to display hints, in case you are blocked and you can't find the vulnerability that you are trying to solve.

First, on the top menu, click the Toggle Hints button to enable/disable hints. Next, click on Show Popup Hints to enable the pop-up hints, and you will notice that the text changes to Hide Popup Hints, in case you change your mind and want to disable it again:

Also, you can change the complexity levels for hacking this application. By default, the security is set to 0 (completely vulnerable); click on the Toggle Security button, and the level will change to 1 (client side active). Click one more time, and the level 5 will be active (server side). If you want to go back to level 0, click on Toggle Security while you're in level 5, and it should go back to 1. I'm going to leave it on level 1 for the rest of this book.

Application reset

Things can go wrong, and the application can stop working. If this happens to Mutillidae, it means that your application is sick and needs some medication. No, I'm kidding! All you need to do is reset it. Resetting Mutillidae is simple; just click on the Reset DB button on the top menu bar, and your application will become brand new again.

OWASP Top 10

The Open Web Application Security Project (OWASP) is a community dedicated to helping people and organizations with application security topics. If you'll be working as an AppSec expert, then OWASP should be your bible; they have plenty of help sections that will make your life much easier. Just follow their guidelines and tutorials at

The OWASP community defined the Top 10 vulnerabilities related to web applications. As for Mutillidae, it dedicated a menu to these vulnerabilities. On the left menu, you will see the OWASP items organized by year (the latest is the OWASP Top 10 for 2017; see the following screenshot). OWASP always keeps this list updated with the latest web vulnerabilities:

I have dedicated a whole chapter to these vulnerabilities, later in this book. For the time being, try to get familiar with the menu items.



Congratulations, folks! You've just finished the first chapter, and I hope that you enjoyed it and learned something new. Let's look at what we went over in this chapter:

  • What Mutillidae is
  • How to download Mutillidae (and where to find it)
  • Installing XAMPP on Windows
  • Installing Mutillidae on Windows
  • Installing XAMPP on Ubuntu Linux
  • Installing Mutillidae on Ubuntu Linux
  • Registering a new user in Mutillidae
  • Showing hints in Mutillidae
  • What OWASP is, and how it is related to Mutillidae

In the next chapter, you will learn how to install your penetration testing machine, Kali Linux.

About the Author

  • Gus Khawaja

    Gus Khawaja holds a bachelor's degree in computer science. He specializes in IT security and ethical hacking. He is an author and shares his passion with millions of viewers around the world using his online courses. He also works as a cybersecurity consultant in Montreal, Canada.

    After many years of experience in programming, he turned his attention to cybersecurity and the importance that security brings to this minefield. His passion for the ethical hacking mixed with his background in programming and IT makes him a wise swiss-knife professional in the computer science domain.

    Browse publications by this author

Latest Reviews

(2 reviews total)
Picked up a few tips and tricks!
Excellent livre que je conseil a tout ceux qui s’intéressent aux test d'intrusion axés web

Recommended For You

Hands-On Application Penetration Testing with Burp Suite

Test, fuzz, and break web applications and services using Burp Suite’s powerful capabilities

By Carlos A. Lozano and 2 more
Cybersecurity: The Beginner's Guide

Understand the nitty-gritty of Cybersecurity with ease

By Erdal Ozkaya
Hands-On AWS Penetration Testing with Kali Linux

Identify tools and techniques to secure and perform a penetration test on an AWS infrastructure using Kali Linux

By Karl Gilbert and 1 more
Learn Kali Linux 2019

Explore the latest ethical hacking tools and techniques in Kali Linux 2019 to perform penetration testing from scratch

By Glen D. Singh