OWASP Railsgoat.
100K+
RailsGoat is a deliberately vulnerable web application built on Ruby on Rails. It demonstrates real-world security vulnerabilities from the OWASP Top 10 and serves as a hands-on training platform for developers and security professionals.
RailsGoat is an intentionally insecure Rails application designed to teach web application security. By exploring and exploiting its vulnerabilities, you'll learn:
Current Version: Rails 8.0 with Ruby 3.4.1
RailsGoat demonstrates real-world security vulnerabilities from the OWASP Top 10, including SQL injection, cross-site scripting (XSS), authentication issues, insecure direct object references, and more.
For a complete list of vulnerabilities with detailed explanations and tutorials, visit the RailsGoat Wiki.
New to Ruby? Follow the setup guide at GoRails for your operating system.
Clone the repository:
git clone https://github.com/OWASP/railsgoat.git
cd railsgoat
Install dependencies:
gem install bundler
bundle install
Setup the database:
rails db:setup
Start the server:
rails server
Open your browser:
Navigate to http://localhost:3000 and start exploring!
The main branch runs Rails 8. For older versions, switch branches:
git checkout rails_3_2 # Rails 3.2
git checkout rails_4_2 # Rails 4.2
git checkout rails_5 # Rails 5.x
Run the vulnerability test suite to see which security flaws exist:
rails training
Each failing test indicates a vulnerability. The test output includes a link to a wiki tutorial explaining:
To run a specific vulnerability test:
rails training SPEC=spec/vulnerabilities/sql_injection_spec.rb
Visit the RailsGoat Wiki for detailed tutorials on each vulnerability, including:
Additional documentation covering advanced and modern Rails security concepts:
Requirements: Docker and Docker Compose 1.6.0+
For Mac Apple Silicon (ARM64): Rosetta must be installed
docker-compose build
docker-compose run web rails db:setup
docker-compose up
The application will be available at http://localhost:3000
Troubleshooting: If the container exits with "A server is already running", remove tmp/pids/server.pid from your working directory and try again.
Some SQL injection vulnerabilities require MySQL. To run with MySQL:
# Create and migrate the database
RAILS_ENV=mysql rails db:create
RAILS_ENV=mysql rails db:migrate
# Start the server
RAILS_ENV=mysql rails server
RailsGoat uses MailCatcher to intercept emails:
gem install mailcatcher
mailcatcher
View emails at http://localhost:1080
Set the RAILSGOAT_MAINTAINER environment variable to verify that vulnerabilities still exist:
RAILSGOAT_MAINTAINER="yes" bundle exec rspec
In maintainer mode, tests pass when vulnerabilities are correctly implemented (opposite of training mode).
We welcome contributions! Please see our contribution guidelines for details.
Need help?
RailsGoat was created to demonstrate security vulnerabilities in Rails applications and teach secure coding practices. It has been continuously updated through Rails versions 3, 4, 5, 6, and now 8, maintaining relevance as the framework evolves.
Conversion to OWASP Top Ten 2013 completed in November 2013.
Warning: This application contains serious security vulnerabilities. Never deploy it on a public server or network. Use only in isolated training environments.
Content type
Image
Digest
sha256:facf84abd…
Size
509.1 MB
Last updated
6 months ago
docker pull owasp/railsgoat:mainPulls:
130
Last week