Python and Django implementation of the OWASP RailsGoat project
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

Codacy Badge Build Status Codacy Badge CodeFactor Total alerts codebeat badge


DjanGoat is a vulnerable Django Application based in large part off the RailsGoat project. The application purports to be an internal employee portal for MetaCorp, Inc but includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals.


On a mac, first install python.

Initial Setup


  • Python 2.7
  • Pip
  • mysql (optional)

Begin by creating a virtual-env

    pip install virtualenv
    virtualenv env
    source env/bin/activate

Then install using pip

    make install



Djangoat uses a SQLite database by default. To deploy the server locally with a SQLite database, use:

    make run

This will initialize and migrate a new (gitignored) SQLite database db.sqlite3 in the root project directory. It will then run the server locally.

At any point after the database has been migrated, it can be seeded with python seed.


  1. Make sure you have mysql installed and run the following to setup the database
    mysql -u root -p
    CREATE DATABASE `db_name`;
    CREATE USER 'username'@'localhost' IDENTIFIED BY 'your_password';
    GRANT ALL PRIVILEGES ON `db_name`.* TO 'username'@'localhost';
  1. Go to pygoat/ and fill out the given information for your database.

  2. Migrate the models and associated database data

    python makemigrations
    python migrate
  1. To set up seed data you can run:
    python seed

For developers create a file in the pygoat folder that mocks

If Django does not recognize MySQL after the setup above, try installing mysql-python and migrate again

    pip install mysql-python

Finally run on localhost:8000

    python runserver


If you want to setup DjanGoat with a PostgreSQL database, checkout the PostgreSQL branch with the following command:

    $ git checkout postgresql-database

The PostgreSQL branch has modified documentation and tests.


To run tests, simply run:

    make test


To run pylint using the provided .pylintrc configuration file:

    make lint


Tutorial information on the various vulnerabilities in this application are here.


The development team.