Dockerfile for Mutillidae II v2.6.52 running on Ubuntu 16.04 with a Xampp v5.6.30 stack
Dockerfile for creating an Ubuntu 16.04 / Xampp v5.6.30 stack container for OWASP Mutillidae II Web Pen-Test Practice Application v2.6.52
Docker Store or docker pull bltsec/mutillidae-docker
Pull Docker Image
Pull image: docker pull bltsec/mutillidae-docker
Start: docker run -d -p 80:80 -p 443:443 --name owasp17 bltsec/mutillidae-docker
Build Docker Image
Create an empty direcotry and place the Dockerfile in it
Create the image using terminal: docker build -t mutillidae .
Start: docker run -d -p 80:80 -p 443:443 --name owasp17 bltsec/mutillidae-docker
- Go to the browser and enter http://localhost:PortYouSpecifiedForHttp/mutillidae
- Go to the browser and enter http://localhost:PortYouSpecifiedForHttp/mutillidae
- Click Enforce SSL in the web application
- Now to to https://localhost:PortYouSpecifiedForHttps/mutillidae
- Has over 40 vulnerabilities and challenges. Contains at least one vulnerability for each of the OWASP Top Ten 2007, 2010, 2013 and 2017
- Actually Vulnerable (User not asked to enter “magic” statement)
- Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver. Mutillidae is confirmed to work on XAMPP, WAMP, and LAMP.
- Installs easily by dropping project files into the "htdocs" folder of XAMPP.
- Will attempt to detect if the MySQL database is available for the user
- Preinstalled on Rapid7 Metasploitable 2, Samurai Web Testing Framework (WTF), and OWASP Broken Web Apps (BWA)
- Contains 2 levels of hints to help users get started
- Includes bubble-hints to help point out vulnerable locations
- Bubble-hints automatically give more information as hint level incremented
- System can be restored to default with single-click of "Setup" button
- User can switch between secure and insecure modes
- Secure and insecure source code for each page stored in the same PHP file for easy comparison
- Provides data capture page and stores captured data in database and file
- Allows SSL to be enforced in order to practice SSL stripping
- Used in graduate security courses, in corporate web sec training courses, and as an "assess the assessor" target for vulnerability software
- Mutillidae has been tested/attacked with Cenzic Hailstorm ARC, W3AF, SQLMAP, Samurai WTF, Backtrack, HP Web Inspect, Burp-Suite, NetSparker Community Edition, and other tools
- Instructional Videos: http://www.youtube.com/user/webpwnized
- Updates tweeted to @webpwnized
- Updated frequently
- Project Whitepaper: http://www.giac.org/paper/gwapt/3387/introduction-owasp-mutillidae-ii-web-pen-test-training-environment/126917