An intentionally vulnerable Django app, to help Django developers learn security testing.
There are two main branches in this repo:
master branch shouldn't contain many vulnerabilities, and the
branch should contain some. If you look at the commit history of the
branch, you'll see vulnerabilities introduced into it one commit at a time.
This should help you understand what each vulnerability looks like, and how to
Mac users: please ensure you've enabled installing applications from unidentified developers. You can find how to do this here.
Installation options are here: https://github.com/zaproxy/zaproxy/wiki/Downloads
snap seems to be straightforward::
$ snap install zaproxy --classic
Install Python packages
Make a virtualenv::
$ mkvirtualenv --python=`which python3` djangogoat
Install the requirements::
$ cd /path/to/djangogoat $ pip install -r requirements_app.txt $ pip install -r requirements_tests.txt
Start the app
Initialise the database::
$ ./manage.py migrate
Collect static files and then start the server::
$ ./manage.py collectstatic $ gunicorn --certfile=dg-server.crt --keyfile=dg-server.key djangogoat.wsgi
Remember to restart
gunicorn after you switch branches in this repo, or after
you make any changes to the app's code.
Start testing it
If you're on the
master branch, you should see no ZAP alerts when you run the
If you're on the
broken branch, you should see ZAP alerts.
Open a new terminal window, and then run the tests::
$ cd /path/to/djangogoat $ workon djangogoat $ behave
Note that every time you restart the tests the database is flushed.
Developers and security people are encouraged to contribute to this project.
How can you get involved?
- Look at our open issues, and work on one of those.
- Submit an issue if there's a change you'd like to say, or a bug you've found.
- Give us a PR if you find any typos, inconsistencies or spelling mistakes.
Guide to contributions:
Please make sure you branch from the right place.
mastershould be your starting point for any security, documentation, or testing improvements.
brokenis the starting point for adding new vulnerabilities. The correct branch will be mentioned in the ticket.
We don't currently have our own code of conduct, but for the meantime, all contributors should follow the Django Project code of conduct, found here: https://www.djangoproject.com/conduct/