Getting Started with OWASP Mutillidae II

A beginner-friendly guide to one of the most powerful vulnerable web apps for practicing ethical hacking

What Is OWASP Mutillidae II?

OWASP Mutillidae II, also known as Matilda Day 2, is a deliberately vulnerable web application designed to help you practice:

Web application penetration testing
Vulnerability discovery and exploitation
OWASP Top 10 concepts

It’s written in PHP, runs on Apache, and uses MySQL as the backend database — making it a perfect candidate for practicing attacks on a real-world tech stack.

What You Need to Run It

Matilda is a LAMP-based application, so you’ll need:

Linux (like Ubuntu)
Apache (the web server)
MySQL (for user data, blog posts, etc.)
PHP (server-side scripting)

Once everything is installed, you place the Matilda files in your web root (usually /var/www/html/), and you’re good to go.

What’s Inside Matilda?

Once launched, you’ll be greeted by a web application that mimics real-world sites, complete with:

User login system
Blog posts
Forums
Forms for contact, upload, search, etc.
Admin panel (hidden, of course)

This is your playground — each page is packed with at least one (if not multiple) vulnerabilities.

Types of Vulnerabilities You Can Practice

Here’s a breakdown of some major exploit types you’ll find in Matilda:

Category	Example Attacks
Injection	SQL Injection, Command Injection, HTML Injection
Authentication	Weak logins, bypasses, brute-forcing
Broken Access Control	Privilege escalation, IDOR
Cross-Site Scripting	Stored, reflected, DOM-based XSS
File Upload	Unrestricted upload leading to RCE
Information Disclosure	Comments, headers, hidden fields
Security Misconfigurations	Directory listings, server info leaks
CSRF	Cross-site request forgery on form actions

Matilda is OWASP-aligned, so you can train against nearly the entire OWASP Top 10.

Before You Start Exploiting: Must-Knows

1. Database Configuration

Check includes/config.inc or similar file for DB credentials
Make sure MySQL is running
Run the setup script (setup.php) to populate the database

2. Permissions

Ensure Apache can read/write to required folders (especially for upload-related challenges)
Watch for file ownership (chown) and permission (chmod) issues on /var/www/html/

3. PHP & Apache Errors

Turn on error reporting in php.ini for better debugging
Look at /var/log/apache2/error.log when something breaks

4. Sessions and Cookies

Matilda uses PHP sessions for login
Try inspecting Set-Cookie headers to understand session flow
Practice session hijacking or fixation where appropriate

Tools to Use Against Matilda

Tool	Purpose
Burp Suite	Intercept, modify, and replay HTTP requests
Nikto	Scan for common web vulnerabilities
SQLMap	Automate SQLi detection/exploitation
FFUF / Dirb / Gobuster	Discover hidden paths or files
XSStrike	XSS fuzzing and detection
WFuzz	Brute-force parameters or login forms

Pro Tips for Pentesters

Treat Matilda like a real target — don’t just go through the motions. Intercept, analyze, and try manual payloads before relying on automated tools.
Focus on logic — many challenges require chaining multiple bugs (like uploading a web shell, then accessing it).
Explore user roles — escalate from regular user to admin by exploiting IDOR or broken auth.
Don’t skip recon — even though it’s a local vulnerable app, you should still enumerate it properly: headers, cookies, paths, etc.

Example Challenges You’ll Encounter

Page	Challenge
Login	Bypass auth with SQLi or default creds
Search	Perform SQL Injection
Upload	Upload a PHP shell and gain RCE
User Profile	Exploit XSS or CSRF
Admin Panel	Find and abuse hidden access points

Summary

Topic	Description
What is Matilda?	A vulnerable PHP web app for hacking practice
How to run it?	Host it in a LAMP environment (Apache, PHP, MySQL)
What to expect?	SQLi, XSS, File Upload, Broken Auth, and more
Before you exploit?	Set up database, check config, enable PHP errors
Pentesting mindset?	Treat it like a live target, not just a checklist