DjanGoat is a vulnerable Django Application based in large part off the RailsGoat project. The application purports to be an internal employee portal for MetaCorp, Inc but includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals.
On a mac, first install python.
- Python 2.7
- mysql (optional)
Begin by creating a virtual-env
pip install virtualenv virtualenv env source env/bin/activate
Then install using pip
Djangoat uses a SQLite database by default. To deploy the server locally with a SQLite database, use:
This will initialize and migrate a new (gitignored) SQLite database
db.sqlite3 in the root project directory. It will then run the server locally.
At any point after the database has been migrated, it can be seeded with
python manage.py seed.
- Make sure you have mysql installed and run the following to setup the database
mysql -u root -p CREATE DATABASE `db_name`; CREATE USER 'username'@'localhost' IDENTIFIED BY 'your_password'; GRANT ALL PRIVILEGES ON `db_name`.* TO 'username'@'localhost'; FLUSH PRIVILEGES; quit
Go to pygoat/production_settings.py and fill out the given information for your database.
Migrate the models and associated database data
python manage.py makemigrations python manage.py migrate
- To set up seed data you can run:
python manage.py seed
For developers create a local_settings.py file in the pygoat folder that mocks production_setting.py.
If Django does not recognize MySQL after the setup above, try installing mysql-python and migrate again
pip install mysql-python
Finally run on localhost:8000
python manage.py runserver
If you want to setup DjanGoat with a PostgreSQL database, checkout the PostgreSQL branch with the following command:
$ git checkout postgresql-database
The PostgreSQL branch has modified documentation and tests.
To run tests, simply run:
pylint using the provided
.pylintrc configuration file:
Tutorial information on the various vulnerabilities in this application are here.
The development team.