OWASP/railsgoat OWASP/railsgoat

  • Stars
    star
    852
  • Rank 51,548 (Top 2 %)
  • Language
    HTML
  • License
    MIT License
  • Created about 11 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
OWASP/railsgoat
github

OWASP

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A vulnerable version of Rails that follows the OWASP Top 10

RailsGoat Build Status Code Climate

RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 6. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.

Support

If you are looking for support or troubleshooting assistance, please visit our OWASP Slack Channel.

Getting Started

To begin, if you do not have Ruby, Git, MySQL, and Postgres, we suggest using this site to install the software. Pick the appropriate operating system and follow the instructions.

After installing the above software, clone this repo:

$ git clone [email protected]:OWASP/railsgoat.git

NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 6. Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:

$ cd railsgoat
$ git checkout rails_3_2
$ git checkout rails_4_2

Navigate into the directory (already there if you followed the previous step) and install the dependencies:

$ bundle install

If you receive an error, make sure you have bundler installed:

$ gem install bundler

Initialize the database:

$ rails db:setup

Start the Thin web server:

$ rails server

Open your favorite browser, navigate to http://localhost:3000 and start hacking!

Docker Install

To run Railsgoat with Docker you must first have Docker and Docker Compose installed. Once those dependencies are installed, cd into the Railsgoat directory where you've cloned the code and run. Rails requires Compose 1.6.0 or above and require a Docker Engine of version 1.10.0 or above.

For Mac Apple Silicon (ARM64) you must also have Rosetta install

#~/code/railsgoat
$ docker-compose build
$ docker-compose run web rails db:setup
$ docker-compose up
...
  Creating railsgoat_web_1
  Attaching to railsgoat_web_1
$

Once you see the preceeding message Railsgoat is running on your localhost on port 3000.

Open your favorite browser, navigate to http://<dockerIP>:3000 and start hacking! The Docker IP is usually 192.168.99.100. Run docker-machine env to verify.

Note: if your container exits with an error, it may be because a server is already running:

A server is already running. Check /myapp/tmp/pids/server.pid.
=> Booting Thin
=> Rails 6.0.0 application starting in development on
http://0.0.0.0:3000
=> Run `rails server -h` for more startup options
=> Ctrl-C to shutdown server
Exiting

In this case, remove that server.pid file and try again. Note also that this file is in your current working directory, not inside the container.

Capybara Tests

RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install PhantomJS (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following task:

$ rails training

To run just one spec:

$ rails training SPEC=spec/vulnerabilities/sql_injection_spec.rb

MySQL Environment

By default in development mode Railsgoat runs with a SQLite database. There is an environment defined to use MySQL. For some of the SQL injection vulnerabilities to work you have to run the app with MySQL as the database. The following steps will setup and run Railsgoat to use MySQL. MySQL must be installed and running before running these steps

#Create the MySQL database
RAILS_ENV=mysql rails db:create

#Run the migrations against the database
RAILS_ENV=mysql rails db:migrate

#Boot Rails using MySQl
RAILS_ENV=mysql rails s

Processing Email

In order for RailsGoat to effectively process email, you will first need to run MailCatcher, an SMTP server that will intercept email messages and display them in a web interface.

Mailcatcher is not installed by default. To install MailCatcher and start an instance of it, simply run:

$ gem install mailcatcher
$ mailcatcher

If successful, you should see the following output:

Starting MailCatcher
==> smtp://127.0.0.1:1025
==> http://127.0.0.1:1080
*** MailCatcher runs as a daemon by default. Go to the web interface to quit.

Alternatively, you can run MailCatcher in the foreground by running mailcatcher -f in your terminal.

Contributing

Please see our contribution document to learn more. Additionally, note that as changes are made to the application, the Capybara RSpecs can be used to verify that the vulnerabilities in the application are still intact. To use them in this way, and have them change to pending instead of fail, set the RAILSGOAT_MAINTAINER environment variable.

Conversion to the OWASP Top Ten 2013 completed in November, 2013.

License

The MIT License (MIT)

More Repositories

1

CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Python
26,662
star
2

owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
Python
11,307
star
3

Amass

In-depth Attack Surface Mapping and Asset Discovery
Go
7,941
star
4

wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Dockerfile
6,708
star
5

Go-SCP

Golang Secure Coding Practices guide
Go
4,729
star
6

Top10

Official OWASP Top 10 Document Repository
HTML
4,057
star
7

Nettacker

Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
Python
2,924
star
8

ASVS

Application Security Verification Standard
HTML
2,517
star
9

DevGuide

The OWASP Guide
2,011
star
10

API-Security

OWASP API Security Project
Dockerfile
1,943
star
11

owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
Python
1,942
star
12

NodeGoat

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
HTML
1,809
star
13

QRLJacking

QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.
Python
1,308
star
14

SecurityShepherd

Web and mobile application security training platform
Java
1,279
star
15

wrongsecrets

Vulnerable app with examples showing how to not use secrets
Java
1,071
star
16

www-project-top-ten

OWASP Foundation Web Respository
HTML
1,032
star
17

joomscan

OWASP Joomla Vulnerability Scanner Project https://www.secologist.com/
Raku
1,009
star
18

crAPI

completely ridiculous API (crAPI)
Java
961
star
19

www-community

OWASP Community Pages are a place where OWASP can accept community contributions for security-related content.
HTML
888
star
20

threat-dragon

An open source threat modeling tool from OWASP
JavaScript
818
star
21

java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Java
788
star
22

OWASP-VWAD

The OWASP Vulnerable Web Applications Directory project (VWAD) is a comprehensive and well maintained registry of all known vulnerable web applications currently available.
749
star
23

DevSecOpsGuideline

The OWASP DevSecOps Guideline can help us to embedding security as a part of the development pipeline.
Python
705
star
24

ZSC

OWASP ZSC - Shellcode/Obfuscate Code Generator https://www.secologist.com/
Python
634
star
25

IoTGoat

IoTGoat is a deliberately insecure firmware created to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices.
C
628
star
26

Docker-Security

Getting a handle on container security
Dockerfile
613
star
27

OWASP-WebScarab

OWASP WebScarab
Java
582
star
28

www-project-kubernetes-top-ten

OWASP Foundation Web Respository
HTML
550
star
29

MASTG-Hacking-Playground

Java
549
star
30

DVSA

a Damn Vulnerable Serverless Application
JavaScript
515
star
31

glue

Application Security Automation
Ruby
513
star
32

owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
Java
473
star
33

SecureCodingDojo

The Secure Coding Dojo is a platform for delivering secure coding knowledge.
PHP
441
star
34

owasp.github.io

OWASP Foundation main site repository
HTML
423
star
35

rbac

PHP-RBAC is an authorization library for PHP. It provides developers with NIST Level 2 Standard Role Based Access Control and more, in the fastest implementation yet.
PHP
423
star
36

Python-Honeypot

OWASP Honeypot, Automated Deception Framework.
Python
404
star
37

samm

SAMM stands for Software Assurance Maturity Model.
JavaScript
395
star
38

iGoat-Swift

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
C
391
star
39

www-project-web-security-testing-guide

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
HTML
376
star
40

www-project-top-10-for-large-language-model-applications

OWASP Foundation Web Respository
TeX
374
star
41

threat-model-cookbook

This project is about creating and publishing threat model examples.
Python
373
star
42

igoat

OWASP iGoat - A Learning Tool for iOS App Pentesting and Security by Swaroop Yermalkar
C
368
star
43

O-Saft

O-Saft - OWASP SSL advanced forensic tool
Perl
344
star
44

Vulnerable-Web-Application

OWASP Vulnerable Web Application Project https://github.com/hummingbirdscyber
PHP
324
star
45

vbscan

OWASP VBScan is a Black Box vBulletin Vulnerability Scanner
Perl
322
star
46

Serverless-Goat

OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws
Python
302
star
47

SecureTea-Project

The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices)
JavaScript
281
star
48

RiskAssessmentFramework

The Secure Coding Framework
TypeScript
245
star
49

pysap

pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.
Python
205
star
50

Serverless-Top-10-Project

OWASP Serverless Top 10
199
star
51

phpsec

OWASP PHP Security Project - THIS PROJECT IS INACTIVE AND MAY CONTAIN SECURITY FLAWS
197
star
52

json-sanitizer

Given JSON-like content, The JSON Sanitizer converts it to valid JSON.
Java
190
star
53

D4N155

OWASP D4N155 - Intelligent and dynamic wordlist using OSINT
Shell
186
star
54

www-chapter-japan

OWASP Foundation Web Respository
HTML
181
star
55

Maturity-Models

Node application to help managing Maturity Models like the ones created by BSIMM and OpenSAMM
JavaScript
176
star
56

www-project-ai-security-and-privacy-guide

OWASP Foundation Web Respository
HTML
170
star
57

passfault

OWASP Passfault evaluates passwords and enforces password policy in a completely different way.
JavaScript
169
star
58

OFFAT

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving towards completion.
Python
159
star
59

ASST

OWASP ASST (Automated Software Security Toolkit) | A Novel Open Source Web Security Scanner.
JavaScript
152
star
60

IoT-Security-Verification-Standard-ISVS

OWASP IoT Security Verification Standard (ISVS)
TeX
129
star
61

Software-Component-Verification-Standard

Software Component Verification Standard (SCVS)
Python
127
star
62

owasp-summit-2017

Content for OWASP Summit 2017 site
CSS
126
star
63

BLT

OWASP BLT is a bug logging tool to report issues and get points, companies are held accountable.
HTML
124
star
64

www-project-secure-headers

The OWASP Secure Headers Project
Python
122
star
65

SEDATED

SEDATED® Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure)
Shell
109
star
66

sonarqube

OWASP SonarQube Project
Dockerfile
107
star
67

www-project-code-review-guide

OWASP Code Review Guide Web Repository
HTML
106
star
68

www-project-proactive-controls

OWASP Foundation Web Respository
Shell
104
star
69

raider

OWASP Raider: a novel framework for manipulating the HTTP processes of persistent sessions
Python
103
star
70

OWASP-Testing-Guide

OWASP Testing Guide
103
star
71

OWASPWebGoatPHP

A deliberately vulnerable web application for learning web application security.
PHP
99
star
72

user-security-stories

Repo to hold mapping of user-security-stories
99
star
73

KubeLight

OWASP Kubernetes security and compliance tool [WIP]
Python
97
star
74

Honeypot-Project

Python
78
star
75

www-project-webgoat

OWASP Foundation Web Respository
HTML
78
star
76

NINJA-PingU

Python
77
star
77

threat-dragon-desktop

Desktop variant of OWASP Threat Dragon
77
star
78

www-project-mobile-top-10

HTML
75
star
79

owasp-istg

The IoT Security Testing Guide (ISTG) provides a comprehensive methodology for penetration tests in the IoT field, offering flexibility to adapt innovations, and developments in the IoT market while still ensuring comparability of test results.
Python
73
star
80

www-project-csrfguard

The aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer Tokens
Java
71
star
81

SSO_Project

OWASP Single Sign-On allows a secure-by-default self-hosted SSO experience, including phishing-proof two-factor authentication, using state-of-the-art security mechanisms.
JavaScript
68
star
82

www-project-zap

OWASP Zed Attack Proxy project landing page.
HTML
67
star
83

PHP-ESAPI

Migrated from code.google.com to a more active public repository.
PHP
65
star
84

www-project-security-knowledge-framework

OWASP Foundation Web Respository
HTML
64
star
85

wpBullet

Python
63
star
86

www-project-top-10-low-code-no-code-security-risks

OWASP Low-Code/No-Code Top 10
HTML
60
star
87

www-project-threat-dragon

OWASP Foundation Threat Dragon Project Web Repository
HTML
59
star
88

www-project-top-10-ci-cd-security-risks

OWASP Foundation Web Respository
HTML
58
star
89

www-project-application-security-verification-standard

OWASP Foundation Web Respository
HTML
58
star
90

www-project-machine-learning-security-top-10

OWASP Machine Learning Security Top 10 Project
HTML
57
star
91

Container-Security-Verification-Standard

Container Security Verification Standard
Python
56
star
92

OpenCRE

CSS
55
star
93

www-project-developer-guide

OWASP Project Developer Guide - Document and Project Web pages
HTML
52
star
94

www-project-secure-coding-practices-quick-reference-guide

OWASP Foundation Project Web Repository for Secure Coding Practices Quick-reference Guide
HTML
52
star
95

www-project-devsecops-guideline

The OWASP DevSecOps Guideline explains how we can implement a secure pipeline and use best practices and introduce tools that we can use in this matter. Also, the project is trying to help us promote the shift-left security culture in our development process.
HTML
49
star
96

www-project-devsecops-maturity-model

OWASP Foundation Web Respository
HTML
48
star
97

www-project-juice-shop

OWASP Foundation Web Respository
HTML
48
star
98

packman

A documentation and tracking project with the goal of making package management systems more secure.
47
star
99

www-project-api-security

OWASP Foundation Web Repository
HTML
47
star
100

WebGoat

This is a defunct code base. The project is located at: https://github.com/WebGoat
HTML
47
star