Found this when viewing Irongeek.com’s Adrian Crenshaw youtube recording at Louisville Chapter of OWASP sharing mutillidae.
“Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10
As I figure most people reading this know, I make infosec tutorial videos for my site Irongeek.com. I wanted to start covering more web application pen-testing tools and concepts in some of these videos. Of course, I need a vulnerable web app or two to use for these demos. I dig WebGoat, but sometimes it’s a little hard to figure out exactly what they want you to do to exploit a given web application. Also, WebGoat may be a little too complex to use when introducing a web programming newbie to web application security (it’s easy to get lost in the code, especially J2EE). In an attempt to have something to use as a demo in my videos and in class, I started the Mutillidae project.
What I’m attempting to do with Mutillidae is implement the OWASP Top 10 in PHP, and do it in such a way that it is easy to demonstrate common attacks to others. Feel free to use it in your own classes or videos, but if you do I’d love to hear about it. Many web app hobbyists and professionals used PHP, and it’s pretty easy to pick up the basics of the language. The Mutillidae webpage is a set of related simple PHP scripts meant to illustrate the core concepts of the OWASP Top 10 vulnerabilities list. For the sake if teaching core concepts, I plan to implement all of the OWASP Top 10 vulnerabilities, in multiple ways (but I could always use some help, especially in writing the hints sections)… …”