Hacking Mutillidae II

Wasp Attack

There are few better ways to learn about offensive security than by using intentionally vulnerable applications. One such application that has stood out in a crowd for many years and has seen some notable version upgrades over the last few months is Mutillidae II [1], now available to practice ethical hacking.

Provided by the OWASP Foundation  [2], the Open Worldwide Application Security Project is a cornerstone of cybersecurity on today's Internet, providing an established community with educational training materials, along with an eye-watering set of tools to improve security knowledge.

In existence for almost two decades, offered free of charge, and open source, OWASP Mutillidae II is quite a sight to the uninitiated. Built for Linux and Windows, it contains a staggering number of vulnerabilities against which to practice, along with extremely helpful tips for varying levels of experience to assist with walking you through some of the security challenges. The GitHub README describes Mutillidae II as an: "easy-to-use web hacking environment designed for labs, security enthusiasts, classrooms, CTF [capture the flag], and vulnerability assessment tool targets."

In this article, I'll show you how to install Mutillidae II on an AWS instance, look at some of its genuinely impressive features to get you started, and try to take an exploit through to completion.

I'm sure at this point you are wondering about the origin of the name (and how to pronounce it). The Wikipedia [3] page does a great job of joining the dots with the link to wasps: "The Mutillidae are a family of more than 7,000 species of wasps whose wingless females resemble large, hairy ants." They're also known as velvet ants because of their dense hair.

... comments powered by Disqus