Python and Django implementation of the OWASP RailsGoat project
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

Codacy Badge Build Status Codacy Badge CodeFactor Total alerts codebeat badge

DjanGoat

DjanGoat is a vulnerable Django Application based in large part off the RailsGoat project. The application purports to be an internal employee portal for MetaCorp, Inc but includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals.

Installation

On a mac, first install python.

Initial Setup

Requirements:

  • Python 2.7
  • Pip
  • mysql (optional)

Begin by creating a virtual-env

    pip install virtualenv
    virtualenv env
    source env/bin/activate

Then install using pip

    make install

DB-Setup

SQLite

Djangoat uses a SQLite database by default. To deploy the server locally with a SQLite database, use:

    make run

This will initialize and migrate a new (gitignored) SQLite database db.sqlite3 in the root project directory. It will then run the server locally.

At any point after the database has been migrated, it can be seeded with python manage.py seed.

MySQL

  1. Make sure you have mysql installed and run the following to setup the database
    mysql -u root -p
    CREATE DATABASE `db_name`;
    CREATE USER 'username'@'localhost' IDENTIFIED BY 'your_password';
    GRANT ALL PRIVILEGES ON `db_name`.* TO 'username'@'localhost';
    FLUSH PRIVILEGES;
    quit
  1. Go to pygoat/production_settings.py and fill out the given information for your database.

  2. Migrate the models and associated database data

    python manage.py makemigrations
    python manage.py migrate
  1. To set up seed data you can run:
    python manage.py seed

For developers create a local_settings.py file in the pygoat folder that mocks production_setting.py.

If Django does not recognize MySQL after the setup above, try installing mysql-python and migrate again

    pip install mysql-python

Finally run on localhost:8000

    python manage.py runserver

PostgreSQL

If you want to setup DjanGoat with a PostgreSQL database, checkout the PostgreSQL branch with the following command:

    $ git checkout postgresql-database

The PostgreSQL branch has modified documentation and tests.

Testing

To run tests, simply run:

    make test

Linting

To run pylint using the provided .pylintrc configuration file:

    make lint

Tutorial

Tutorial information on the various vulnerabilities in this application are here.

Acknowledgements

The development team.