mutillidae
OWASP Mutillidae II is a deliberately vulnerable PHP web application designed for security training and penetration testing practice. It contains over 40 intentional vulnerabilities covering OWASP Top Ten issues and runs on standard LAMP/WAMP stacks, Docker, or pre-installed platforms like SamuraiWTF.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | webpwnized/mutillidae |
| Owner | webpwnized |
| Primary language | PHP |
| License | GPL-3.0 — OSI-approved |
| Stars | 1.5k |
| Forks | 561 |
| Open issues | 1 |
| Latest release | Unknown |
| Last updated | 2026-06-22 |
| Source | https://github.com/webpwnized/mutillidae |
What mutillidae is
A PHP-based vulnerable web application with modular architecture (classes, labs, webservices including REST/SOAP APIs) offering configurable secure/insecure modes and one-click reset functionality. Deployable via Docker, traditional *AMP stacks, or Kubernetes; includes database operations, session handling, and multiple vulnerability categories for hands-on practice.
Get the mutillidae source
Clone the repository and explore it locally.
git clone https://github.com/webpwnized/mutillidae.gitcd mutillidae# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Deploy only on isolated networks (local lab, intranet, or containerized sandbox) with network-level access controls; never expose directly to the internet.
- Source code moved to /src directory—verify installation paths align to avoid misconfiguration; multiple deployment methods available (Docker, LAMP, Kubernetes) with corresponding video tutorials.
- One-click reset (Setup button) allows restoration to default state; ensure training participants understand this behavior so lab progress is not accidentally lost.
- Supports secure/insecure mode toggle—clarify mode selection in training objectives to avoid confusion about which vulnerabilities are active.
- Requires PHP, database (typically MySQL), and web server; standard *AMP stack dependencies mean compatibility with most Linux/Windows hosts already equipped for web development.
When to avoid it — and what to weigh
- Production or Internet-Exposed Environments — This application is deliberately vulnerable by design. Deploying it where untrusted users can access it or connecting it to the internet (except isolated lab networks) creates serious security risk; intended only for closed training or local testing environments.
- Need for Latest Zero-Day or Modern Attack Patterns — No documented latest release date and focus is historical (OWASP Top Ten 2007–2017). If evaluating modern server-side request forgery, advanced cloud misconfigurations, or recent vulnerability classes, consider a more current alternative.
- Commercial Closed-Source Requirement — Licensed under GPL-3.0, which requires any derivative work or redistribution to remain open-source. Organizations needing proprietary modifications or closed-source distribution should avoid or seek license clarification with maintainers.
- High-Availability or Performance-Critical Training — Designed for learning, not production robustness. Lacks documented SLA, redundancy, or performance guarantees; suitable only for low-concurrency lab environments with short session lifespans.
License & commercial use
Licensed under GPL-3.0 (GNU General Public License v3.0), a copyleft license requiring any modified or redistributed versions to remain open-source and include source code and the same license.
GPL-3.0 permits internal use for training and security testing without license fees. However, commercial distribution, cloud hosting for customers, or modification without open-source release are restricted. Organizations offering Mutillidae as a managed training service or packaging it into proprietary products should seek legal review or explicit permission from maintainers before proceeding.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
By design, this application contains multiple intentional vulnerabilities across SQL injection, XSS, file inclusion, and other OWASP categories. It must never be deployed in any network accessible to untrusted users or the internet. No security hardening should be attempted; doing so defeats its training purpose. Treat as a hostile environment; isolate at network, host, and container levels. Access should be limited to authorized training participants only. Assume all data and credentials used in the application are compromised.
Alternatives to consider
OWASP WebGoat
Similar educational focus on web security vulnerabilities with integrated lesson structure; more recent active maintenance and broader language support (Java-based); however, smaller vulnerability surface than Mutillidae.
DVWA (Damn Vulnerable Web Application)
Lightweight, PHP-based deliberately vulnerable app with similar OWASP Top Ten coverage and simpler deployment; smaller footprint and slightly more straightforward codebase, but fewer challenges and less community toolkit integration than Mutillidae.
HackTheBox or TryHackMe Vulnerable Environments
Cloud-hosted, maintained, regularly updated with modern vulnerabilities and realistic scenarios; no local deployment needed, but subscription-based and less customizable for specific training curricula.
Build on mutillidae with DEV.co software developers
Download OWASP Mutillidae II and set up a secure, isolated lab environment for hands-on web security practice. Use Docker for quick deployment or LAMP stacks for traditional setups. Review our installation guides and contact the maintainers if you need licensing clarification for commercial use.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
mutillidae FAQ
Can I use Mutillidae in a corporate training program?
Is Mutillidae safe to deploy on a test network?
What vulnerabilities does Mutillidae cover?
How do I install and run Mutillidae?
Software development & web development with DEV.co
Need help beyond evaluating mutillidae? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Deploy Mutillidae for Your Security Training Program
Download OWASP Mutillidae II and set up a secure, isolated lab environment for hands-on web security practice. Use Docker for quick deployment or LAMP stacks for traditional setups. Review our installation guides and contact the maintainers if you need licensing clarification for commercial use.