Afina tus habilidades de penetración web con Mutillidae


Multillidae es otro de los proyectos con los que podemos jugar y afinar nuestras técnicas de penetración web. Es un proyecto multiplataforma escrito en PHP y que se puede instalar usando XAMPP. También está disponible en la distribución Samurai WTF

Este proyecto cubre todas las vulnerabilidades recogidas en el OWASP Top 10.

Puedes descargar el proyecto desde aquí.

Como extra, en youtube puedes encontrar un canal (@webpwnized) (desarrollador actual del proyecto) con gran cantidad de vídeo tutoriales sobre esta plataforma. También puedes acceder a dichos vídeos desde la web de irongeek (creador inicial de Mutillidae).

La lista de los vídeos es la siguiente:

  1. Determine Http Methods Using Netcat

  2. Determine Server Banners Using Netcat Nikto And W3af

  3. Bypass Authentication Using SQL Injection

  4. Using Menus

  5. Bypass Authentication Via Authentication Token Manipulation

  6. Explanation Of HTTPonly Cookies In Presense Of Cross Site Scripting

  7. Closer Look At Cache Control And Pragma No Cache Headers

  8. Demonstration Of Frame Busting Javascript And X-Frame Options Header

  9. How To Install And Configure Burp Suite With Firefox

  10. Basics Of Web Request And Response Interception Using Burp Suite

  11. Brute Force Authentication Using Burp Intruder

  12. Automate SQL Injection Using SQLMap To Dump Credit Cards Table

  13. Command Injection To Dump Files Start Services Disable Firewall

  14. How To Exploit Local File Inclusion Vulnerability Using Burp Suite

  15. HTML Injection To Popup Fake Login Form And Capture Credentials

  16. Two Methods To Steal Session Tokens Using Cross Site Scripting

  17. How To Bypass Maxlength Restrictions On HTML Input Fields

  18. Two Methods To Bypass Javascript Validation

  19. Three Methods For Viewing Http Request And Response Headers

  20. Basics Of SQL Injection Timing Attacks

  21. Basics Of SQL Injection Using Union

  22. Basics Of Inserting Data With SQL Injection

  23. Inject Root Web Shell Backdoor Via SQL Injection

  24. Basics Of Using SQL Injection To Read Files From Operating System

  25. How To Locate The Easter Egg File Using Command Injection

  26. Injecting Cross Site Script Into Stylesheet Context

  27. Introduction To Http Parameter Pollution

  28. Basics Of Injecting Cross Site Script Into HTML Onclick Event

  29. Basics Of Finding Reflected Cross Site Scripting

  30. Analyze Session Token Randomness Using Burp Suite Sequencer

  31. Using Nmap To Fingerprint Http Servers And Web Applications

  32. Spidering Web Applications With Burp Suite

  33. Basics Of Burp Suite Targets Tab And Scope Settings

  34. Brute Force Page Names Using Burp Intruder Sniper

  35. Using Burp Intruder Sniper To Fuzz Parameters

  36. Comparing Burp Intruder Modes Sniper Battering RAM Pitchfork Cluster Bomb

  37. Demo Usage Of Burp Suite Comparer Tool

  38. Import Custom Nmap Scans Into Metasploit Community Edition

  39. Using Metasploit Community Edition To Locate Web Servers

  40. XSS DNS Lookup Page Bypassing Javascript Validation

  41. Use Burp Suite Sequencer To Compare Csrf Token Strengths

  42. How To Remove PHP Errors After Installing On Windows Xampp

  43. Quickstart Guide To Installing On Windows With Xampp

  44. Basics Of Running Nessus Scan On Backtrack 5 R1

  45. How To Import Nessus Scans Into Metasploit Community Edition

  46. Basics Of Exploiting Vulnerabilities With Metasploit Community Edition

  47. Sending Persistent Cross Site Scripts Into Web Logs To Snag Web Admin

  48. Quick Start Overview Of Useful Pen-Testing Addons For Firefox

  49. Three Methods For Viewing Javascript Include Files

  50. Reading Hidden Values From HTML5 Dom Storage

  51. How To Execute Javascript On The Urlbar In Modern Browsers

  52. Adding Values To Dom Storage Using Cross Site Scripting

  53. Alter Values In Html5 Web Storage Using Cross Site Script

  54. Altering Html 5 Web Storage Values Using Persistent XSS

  55. Altering HTML 5 Web Storage With A Reflected XSS

Puedes encontrar más información en la web del proyecto.