Mutillidae: Born to be Hacked
Version: 2.1.19 Not Logged In
Home Login/Register Toggle Hints Toggle Security Reset DB View Log View Captured Data

OWASP
Site hacked...err...quality-tested with Samurai WTF, Backtrack, Firefox, Burp-Suite, Netcat, and these Mozilla Add-ons
 
 
Twitter
@webpwnized
 
YouTube
Mutillidae
Channel
 
Developed by Adrian "Irongeek" Crenshaw and Jeremy Druin
Register for an Account
Please choose your username, password and signature
Username
Password
Confirm Password
Signature
Hints
  • For XSS:XSS is easy stuff. This one shows off stored XSS (someone can run across it later in another app that uses the same database). Check out the "User Info" page for the results of this stored XSS. "<script>alert("XSS");</script>" is the classic XSS demo, but there are far more interesting things you could do which I plan show in a video later. Also, check out Rsnake's XSS Cheet Sheet for more ways you can encode XSS attacks that may allow you to get around some filters.
  • For SQL Injection: Mostly errors, but they reveal too much information about the application.
  • Try SQL injection probing by entering single-quotes, double-quotes, paranthesis, double-dash (--), hyphen-asterik (/*), and closing-parenthesis-hyphen-hyphen ()--)
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
PHP Version: 5.2.4-2ubuntu5.10
The newest version of Mutillidae can downloaded from Irongeek's Site