RailsGoat

RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 6. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.

Support

If you are looking for support or troubleshooting assistance, please visit our OWASP Slack Channel.

Getting Started

• install git if you don't have it already
• follow these instructions to install Ruby on Rails
• make your own fork of my repo

Clone your new repo:

$ git clone [email protected]:<YOUR GITHUB USER NAME>/railsgoat.git
$ cd railsgoat

Install the dependencies:

$ gem install bundler
$ bundle install

Initialize the database:

$ rails db:setup

Start the Thin web server:

$ rails server

Open your favorite browser, navigate to http://localhost:3000 and start hacking!

Capybara Tests

RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install PhantomJS (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following task:

$ rails training

To run just one spec:

$ rails training SPEC=spec/vulnerabilities/sql_injection_spec.rb

License

The MIT License (MIT)

Helpful Ruby Hints

Ruby usually gives you 1001 ways to accomplish a task, and the goal of this course is not to master the language. However, this will hopefully be a useful reference or template for basic syntax hints.

Functions

def function
  puts 'Hello World'
  another_function 2  # notice the () are always optional in functions
  another_function(3) # equally valid
end

Conditionals

if true
  # always executes
end

unless false
  # always executes
end

Loops

my_array = [1, 'hello', 2, 'goodbye']
my_array.each do |element|
  puts "the next element is #{element}"
end

Classes

class MyClass < ParentClass
  def initialize
    @attribute = 'my attribute'
  end

  def self.static_method
    # this can be called without initializing the class first
    # MyClass.static_method
  end

  def method
    # regular class method
    # MyClass.new.method
  end
end

Implicit returns

def return_true # returns true
  true
end

def conditionally_return_true # returns either true or 'bananas'
  if some_condition
    true
  else
    'bananas'
  end
end 

Symbols

For simplicity, you can think of symbols as strings (even though technically they're different).

:symbol || 'symbol' # symbols and strings are similar (ish!)

They're usually used as key mappings, like a dictionary/hash.

{ :key => 'value' } # this is the most common use case for symbols

Read more about symbols.