• OWASP 2017
  • A1 - Injection (SQL)
    • SQLi - Extract Data
      • User Info (SQL)
    • SQLi - Bypass Authentication
      • Login
    • SQLi - Insert Injection
      • Add to your blog
      • Register
      • View Captured Data
    • Blind SQL via Timing
      • Login
      • User Info (SQL)
    • SQLMAP Practice
      • SQLMAP Practice Targets
      • Login
      • View Someones Blog
      • User Info (SQL)
    • Via JavaScript Object Notation (JSON)
      • Pen Test Tool Lookup
      • Pen Test Tool Lookup (AJAX)
    • Via SOAP Web Service
      • Lookup User
    • Via REST Web Service
      • User Account Management
  • A1 - Injection (Other)
    • Application Log Injection
      • Add to your blog
      • DNS Lookup
      • Echo Message
      • Document Viewer
      • Capture Data Page
      • Login
      • Register User
      • Source Viewer
      • Text File Viewer
    • Buffer Overflow
      • Repeater
    • Cascading Style Injection
      • Set Background Color
    • CBC-bit Flipping
    • Command Injection
      • DNS Lookup
      • DNS Lookup (SOAP Web Service)
      • Echo Message
    • Frame Source Injection
      • Document Viewer
      • Styling with Mutilidae
    • HTML Injection (HTMLi)
      • Add to your blog
      • Browser Info
      • DNS Lookup
      • Echo Message
      • Pen Test Tool Lookup
      • Text File Viewer
      • User Info (SQL)
      • User Info (XPath)
      • Set Background Color
      • HTML5 Web Storage
      • Capture Data Page
      • View Captured Data
      • Document Viewer
      • Arbitrary File Inclusion
      • Poll Question
      • Register User
      • Login
      • Those "Back" Buttons
      • Styling with Mutilidae
      • Password Generator
    • HTMLi via HTTP Headers
      • Those "Back" Buttons
      • Browser Info
      • Site Footer
      • HTTP Response Splitting (Hint: Difficult)
    • HTMLi Via DOM Injection
      • HTML5 Web Storage
      • Password Generator
    • HTMLi Via Cookie Injection
      • Capture Data Page
    • HTTP Parameter Pollution
      • Poll Question
      • Document Viewer
    • JavaScript Injection
      • Those "Back" Buttons
      • Password Generator
      • Browser Info
    • JavaScript Object Notation (JSON) Injection
      • Pen Test Tool Lookup
      • Pen Test Tool Lookup (AJAX)
    • LDAP Injection
      • Conference Room Lookup
    • Parameter Addition
      • Repeater
      • View User Privileges
    • XML External Entity Injection
      • XML Validator
    • XML Entity Expansion
      • XML Validator
    • XML Injection
      • XML Validator
    • XPath Injection
      • User Info (XPath)
  • A2 - Broken Authentication and Session Management
    • Authentication Bypass
      • Via Brute Force
      • Via Cookies
      • Via SQL Injection
      • Via Account Hijacking
    • Priviliege Escalation
      • Via Cookies
      • Login
      • Via Account Hijacking
      • Via CBC-bit Flipping
    • Username Enumeration
      • Login
      • Edit User Profile
      • Lookup User (SOAP Web Service)
      • User Account Management (REST Web Service)
  • A3 - Sensitive Data Exposure
    • Information Disclosure
      • Edit User Profile
      • PHP MyAdmin Console
      • PHP Info Page
      • Robots.txt
      • "Secret" Administrative Pages
      • HTML5 Web Storage
      • HTML/JavaScript Comments
      • Cache-Control
      • Click-Jacking
      • Cross-Site Framing (Third-Party Framing)
      • X-Frame-Options (Click-Jacking)
      • X-Frame-Options (Cross-frame Scripting)
    • Application Path Disclosure
      • PHP MyAdmin Console
      • PHP Info Page
      • Robots.txt
    • Platform Path Disclosure
      • PHP MyAdmin Console
      • PHP Info Page
    • SSL Misconfiguration
  • A4 - XML External Entities
    • XML External Entity Injection
      • XML Validator
  • A5 - Broken Access Control
    • Insecure Direct Object References
      • Via Account Hijacking
      • Local File Inclusion
      • Remote File Inclusion
      • Text File Viewer
      • Source Viewer
      • Credits
    • Missing Function Level Access Control
      • Cookies as Auth Tokens
      • "Secret" Administrative Pages
      • Client-side Control Challenge
      • Robots.txt
  • A6 - Security Misconfiguration
    • Directory Browsing
    • Method Tampering (GET for POST)
      • Add to your blog
      • User Info (SQL)
      • User Info (XPath)
      • Poll Question
      • DNS Lookup
      • Echo Message
    • User-Agent Impersonation
    • Unrestricted File Upload
    • SSL Misconfiguration
    • PHP MyAdmin Console
    • PHP Info Page
    • Robots.txt
    • Cache-Control
    • Click-Jacking
    • Cross-Site Framing (Third-Party Framing)
  • A7 - Cross Site Scripting (XSS)
    • Reflected (First Order)
      • DNS Lookup
      • Echo Message
      • Pen Test Tool Lookup
      • Text File Viewer
      • User Info (SQL)
      • Set Background Color
      • HTML5 Web Storage
      • Capture Data Page
      • Document Viewer
      • Arbitrary File Inclusion
      • XML Validator
      • User Info (XPath)
      • Poll Question
      • Register User
      • Browser Info
      • Those "Back" Buttons
      • Styling with Mutilidae
      • Password Generator
      • Client-side Control Challenge
    • Persistent (Second Order)
      • Add to your blog
      • View someone's blog
      • Register User
      • Edit User Profile
      • Show Log
    • DOM-Based
      • HTML5 Web Storage
      • Password Generator
    • Cross Site Request Forgery (CSRF)
      • Add to your blog
      • Register User
      • Poll Question
    • Via "Input" (GET/POST)
      • Add to your blog
      • View someone's blog
      • Show Log
      • Text File Viewer
      • DNS Lookup
      • Echo Message
      • User Info (SQL)
      • User Info (XPath)
      • Missing HTTPOnly Attribute
      • Set Background Color
      • Pen Test Tool Lookup
      • Document Viewer
    • Via HTTP Headers
      • Browser Info
      • Show Log
      • Site Footer
      • Those "Back" Buttons
    • Via HTTP Attribute
      • Document Viewer
    • Via Misconfiguration
      • Missing HTTPOnly Attribute
    • Against HTML5 Web Storage
      • HTML5 Web Storage
    • Against JSON
      • Pen Test Tool Lookup
    • Via Cookie Injection
      • Capture Data Page
    • Via XML Injection
      • XML Validator
    • Via XPath Injection
      • User Info (XPath)
    • Via Path Relative Style Sheet Injection
      • Styling with Mutilidae
    • BeeF Framework Targets
      • Add to your blog
      • View someone's blog
      • Show Log
      • DNS Lookup
      • Echo Message
      • Pen Test Tool Lookup
      • Text File Viewer
      • User Info (SQL)
      • Set Background Color
      • HTML5 Web Storage
      • Capture Data Page
      • Document Viewer
      • Arbitrary File Inclusion
      • XML Validator
      • User Info (XPath)
      • Poll Question
      • Register User
      • Password Generator
  • A8 - Insecure Deserialization
  • A9 - Using Components with Known Vulnerabilities
    • PHP MyAdmin Console
    • PHP Info Page
    • CBC-bit Flipping
    • SSL Misconfiguration
  • A10 - Insufficient Logging and Monitoring

• OWASP 2013
  • A8 - Cross Site Request Forgery (CSRF)
    • Add to your blog
    • Register User
    • Poll Question
  • A10 - Unvalidated Redirects and Forwards
    • Credits
    • Setup/reset the DB (Disabled: Not Admin)

• OWASP 2010
  • A7 - Insecure Cryptographic Storage
    • User Info (SQL)
    • User Info (XPath)
    • HTML5 Web Storage
    • View User Privileges
  • A8 - Failure to Restrict URL Access
    • Edit User Profile
    • PHP MyAdmin Console
    • Source Viewer
    • "Secret" Administrative Pages
    • Robots.txt
    • Arbitrary File Inclusion
    • PHP Info Page
  • A9 - Insufficient Transport Layer Protection
    • SSL Misconfiguration
    • Login
    • User Info (SQL)
    • User Info (XPath)

• OWASP 2007
  • A3 - Malicious File Execution
    • Text File Viewer
    • Source Viewer
  • A6 - Information Leakage
    • Edit User Profile
    • Cache-Control
    • X-Powered-By HTTP Header
    • HTML/JavaScript Comments
    • Click-Jacking
    • Cross-Site Framing (Third-Party Framing)
    • HTML5 Web Storage
    • PHP MyAdmin Console
    • PHP Info Page
    • Robots.txt
    • SSL Misconfiguration
  • A6 - Improper Error Handling
    • User Info (SQL)
    • User Info (XPath)
    • Login
    • Register
    • Edit User Profile
    • Pen Test Tool Lookup
    • Pen Test Tool Lookup (AJAX)
    • Lookup User (SOAP Web Service)

• Web Services
  • SOAP
    • Test Page
      • Hello World
    • Command Injection
      • DNS Lookup
    • SQL Injection
      • Lookup User
    • Username Enumeration
      • Lookup User
  • REST
    • SQL Injection
      • User Account Management
    • Username Enumeration
      • User Account Management
• HTML 5
  • HTML 5 Web Storage
    • HTML5 Web Storage
  • JavaScript Object Notation (JSON)
    • Pen Test Tool Lookup
    • Pen Test Tool Lookup (AJAX)
  • Asyncronous JavaScript and XML (AJAX)
    • Pen Test Tool Lookup (AJAX)
• Others
  • Client-side "Security" Controls
    • Client-side Control Challenge
  • Cross-Frame Framing (Third-party Framing)
    • Framer
  • Unrestricted File Upload
    • File Upload
  • Denial of Service
    • Text File Viewer
    • Show Web Log
  • JavaScript Validation Bypass
    • Login
    • User Info (SQL)
    • User Info (XPath)
    • Add to your blog
    • HTML5 Web Storage
    • DNS Lookup
    • Echo Message
    • Repeater
  • User-Agent Impersonation
  • Data Capture Pages
    • Data Capture
    • View Captured Data
• Documentation
  • Installation Instructions (Linux)
  • Installation Instructions (Windows)
  • Usage Instructions
  • Listing of Vulnerabilities
  • Change Log
  • Credits
  • Whitepaper: Introduction to the Mutillidae Web Pen Test Training Environment
• Resources
  • Latest Version of OWASP Mutillidae II
  • OWASP Top Ten
  • Web Penetration Testing Add-Ons