Thought I'd leave this here in case anyone else came across this issue...

I'm running a kali linux vm with the citizenstig/nowasp image for reference.

I came across an issue with OWASP 2017 -> A1 Injection (Other) -> JavaScript Object Notation (JSON) Injection -> Pen Test Lookup (AJAX). When clicking the Lookup Tool the page does not display anything indicating an ajax response. I ran it through an intercept proxy (burpsuite) and saw I was actually getting a 404 error referencing an expected php file located at /mutillidae/ajax/pen-test-lookup-ajax.php (note that in this docker build, mutillidae was put in the /app directory and not /mutillidae)

I found that /app/pen-test-tool-lookup-ajax.php has a variable lURL that's set to /mutillidae/ajax/pen-test-lookup-ajax.php - it just needs to be changed to /ajax/pen-test-lookup-ajax.php.

I used the following docker exec commands to make the change:
docker exec NAME sh -c "sed -i 's:/mutillidae/ajax:/ajax:g' /app/pen-test-tool-lookup-ajax.php"
docker exec NAME sh -c "service apache2 restart"

I know it's not the most exciting exercise, but it was a quick fix. I haven't looked, but there may also be other instances of this issue scattered about.