DEV.co
Open-Source Security · webpwnized

mutillidae

OWASP Mutillidae II is a deliberately vulnerable PHP web application designed for security training and penetration testing practice. It contains over 40 intentional vulnerabilities covering OWASP Top Ten issues and runs on standard LAMP/WAMP stacks, Docker, or pre-installed platforms like SamuraiWTF.

Source: GitHub — github.com/webpwnized/mutillidae
1.5k
GitHub stars
561
Forks
PHP
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorywebpwnized/mutillidae
Ownerwebpwnized
Primary languagePHP
LicenseGPL-3.0 — OSI-approved
Stars1.5k
Forks561
Open issues1
Latest releaseUnknown
Last updated2026-06-22
Sourcehttps://github.com/webpwnized/mutillidae

What mutillidae is

A PHP-based vulnerable web application with modular architecture (classes, labs, webservices including REST/SOAP APIs) offering configurable secure/insecure modes and one-click reset functionality. Deployable via Docker, traditional *AMP stacks, or Kubernetes; includes database operations, session handling, and multiple vulnerability categories for hands-on practice.

Quickstart

Get the mutillidae source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/webpwnized/mutillidae.gitcd mutillidae# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Web Security Training & Education

Ideal for graduate courses, corporate training programs, and classroom labs where learners need a safe, realistic environment with built-in hints to practice attacking OWASP Top Ten vulnerabilities without risk to production systems.

CTF Competitions & Capture-The-Flag Events

Multi-vulnerability platform with 40+ challenges suitable for security-focused competitions, allowing teams to practice exploitation techniques across SQL injection, XSS, file inclusion, and other common vectors in a controlled sandbox.

Vulnerability Assessment Tool Validation

Serves as a reliable target for testing and tuning web application scanners and penetration testing tools, allowing security teams to verify detection capabilities against known, intentional vulnerabilities without reliance on externally hosted vulnerable apps.

Implementation considerations

  • Deploy only on isolated networks (local lab, intranet, or containerized sandbox) with network-level access controls; never expose directly to the internet.
  • Source code moved to /src directory—verify installation paths align to avoid misconfiguration; multiple deployment methods available (Docker, LAMP, Kubernetes) with corresponding video tutorials.
  • One-click reset (Setup button) allows restoration to default state; ensure training participants understand this behavior so lab progress is not accidentally lost.
  • Supports secure/insecure mode toggle—clarify mode selection in training objectives to avoid confusion about which vulnerabilities are active.
  • Requires PHP, database (typically MySQL), and web server; standard *AMP stack dependencies mean compatibility with most Linux/Windows hosts already equipped for web development.

When to avoid it — and what to weigh

  • Production or Internet-Exposed Environments — This application is deliberately vulnerable by design. Deploying it where untrusted users can access it or connecting it to the internet (except isolated lab networks) creates serious security risk; intended only for closed training or local testing environments.
  • Need for Latest Zero-Day or Modern Attack Patterns — No documented latest release date and focus is historical (OWASP Top Ten 2007–2017). If evaluating modern server-side request forgery, advanced cloud misconfigurations, or recent vulnerability classes, consider a more current alternative.
  • Commercial Closed-Source Requirement — Licensed under GPL-3.0, which requires any derivative work or redistribution to remain open-source. Organizations needing proprietary modifications or closed-source distribution should avoid or seek license clarification with maintainers.
  • High-Availability or Performance-Critical Training — Designed for learning, not production robustness. Lacks documented SLA, redundancy, or performance guarantees; suitable only for low-concurrency lab environments with short session lifespans.

License & commercial use

Licensed under GPL-3.0 (GNU General Public License v3.0), a copyleft license requiring any modified or redistributed versions to remain open-source and include source code and the same license.

GPL-3.0 permits internal use for training and security testing without license fees. However, commercial distribution, cloud hosting for customers, or modification without open-source release are restricted. Organizations offering Mutillidae as a managed training service or packaging it into proprietary products should seek legal review or explicit permission from maintainers before proceeding.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

By design, this application contains multiple intentional vulnerabilities across SQL injection, XSS, file inclusion, and other OWASP categories. It must never be deployed in any network accessible to untrusted users or the internet. No security hardening should be attempted; doing so defeats its training purpose. Treat as a hostile environment; isolate at network, host, and container levels. Access should be limited to authorized training participants only. Assume all data and credentials used in the application are compromised.

Alternatives to consider

OWASP WebGoat

Similar educational focus on web security vulnerabilities with integrated lesson structure; more recent active maintenance and broader language support (Java-based); however, smaller vulnerability surface than Mutillidae.

DVWA (Damn Vulnerable Web Application)

Lightweight, PHP-based deliberately vulnerable app with similar OWASP Top Ten coverage and simpler deployment; smaller footprint and slightly more straightforward codebase, but fewer challenges and less community toolkit integration than Mutillidae.

HackTheBox or TryHackMe Vulnerable Environments

Cloud-hosted, maintained, regularly updated with modern vulnerabilities and realistic scenarios; no local deployment needed, but subscription-based and less customizable for specific training curricula.

Software development agency

Build on mutillidae with DEV.co software developers

Download OWASP Mutillidae II and set up a secure, isolated lab environment for hands-on web security practice. Use Docker for quick deployment or LAMP stacks for traditional setups. Review our installation guides and contact the maintainers if you need licensing clarification for commercial use.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

mutillidae FAQ

Can I use Mutillidae in a corporate training program?
Yes. Mutillidae is free and open-source (GPL-3.0). You may deploy it internally for employee security training. However, if you offer managed training services or package it as a commercial product, consult the GPL-3.0 terms or contact the maintainers; redistribution may require open-sourcing your modifications.
Is Mutillidae safe to deploy on a test network?
Yes, provided the test network is isolated from the internet and untrusted users. It is deliberately vulnerable and must be treated as a hostile system. Use network access controls (firewall rules, VPN) and ensure only authorized participants can reach it.
What vulnerabilities does Mutillidae cover?
Over 40 vulnerabilities including SQL injection, XSS, file inclusion, and others from OWASP Top Ten (2007–2017). Exact coverage of modern 2021+ categories is not documented; if you need cutting-edge attack scenarios, review the actual codebase or consider newer alternatives.
How do I install and run Mutillidae?
Multiple methods: Docker (easiest, via DockerHub or local build), traditional LAMP/WAMP stacks (via comprehensive guide), or Kubernetes (GKE). Pre-installed on SamuraiWTF and OWASP BWA. Video tutorials on the webpwnized YouTube channel guide each approach. Source code is in the /src directory.

Software development & web development with DEV.co

Need help beyond evaluating mutillidae? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Deploy Mutillidae for Your Security Training Program

Download OWASP Mutillidae II and set up a secure, isolated lab environment for hands-on web security practice. Use Docker for quick deployment or LAMP stacks for traditional setups. Review our installation guides and contact the maintainers if you need licensing clarification for commercial use.