DjanGoat is a vulnerable Django Application based in large part off the RailsGoat project. The application purports to be an internal employee portal for MetaCorp, Inc but includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals.
On a mac, first install python.
Requirements:
- Python 2.7
- Pip
- mysql
Begin by creating a virtual-env
pip install virtualenv
virtualenv env
source env/bin/activate
Then install using pip
pip install -r requirements.txt
Now we need to setup our database If you want to use a MySQL database, continue following this README. If you want to setup DjanGoat with a PostgreSQL database, checkout the PostgreSQL branch with the following command:
$ git checkout postgresql-database
The PostgreSQL branch has modified documentation and tests.
- Make sure you have mysql installed and run the following to setup the database
mysql -u root -p
CREATE DATABASE `db_name`;
CREATE USER 'username'@'localhost' IDENTIFIED BY 'your_password';
GRANT ALL PRIVILEGES ON `db_name`.* TO 'username'@'localhost';
FLUSH PRIVILEGES;
quit
-
Go to pygoat/production_settings.py and fill out the given information for your database.
-
Migrate the models and associated database data
python manage.py makemigrations
python manage.py migrate
- To set up seed data you can run:
python manage.py seed
For developers create a local_settings.py file in the pygoat folder that mocks production_setting.py.
If Django does not recognize MySQL after the setup above, try install mysql-python and migrate again
pip install mysql-python
Finally run on localhost:8000
python manage.py runserver
To run tests, simply run:
python manage.py test app
To run the pylint before running on Jenkins, run:
pylint app pygoat
Tutorial information on the various vulnerabilities in this application are here.
The development team.