DjanGoat is a vulnerable Django Application based in large part off the RailsGoat project. The application purports to be an internal employee portal for MetaCorp, Inc but includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals. Any maintainers are welcome to make pull requests.

On a mac, first install python.

Requirements:

• Python 2.7
• Pip
• mysql (optional)

Begin by creating a virtual-env

    pip install virtualenv
    virtualenv env
    source env/bin/activate

Then install using pip

    make install

Djangoat uses a SQLite database by default. To deploy the server locally with a SQLite database, use:

    make run

This will initialize and migrate a new (gitignored) SQLite database db.sqlite3 in the root project directory. It will then run the server locally.

At any point after the database has been migrated, it can be seeded with python manage.py seed.

1. Make sure you have mysql installed and run the following to setup the database

    mysql -u root -p
    CREATE DATABASE `db_name`;
    CREATE USER 'username'@'localhost' IDENTIFIED BY 'your_password';
    GRANT ALL PRIVILEGES ON `db_name`.* TO 'username'@'localhost';
    FLUSH PRIVILEGES;
    quit

2. Go to pygoat/production_settings.py and fill out the given information for your database.

3. Migrate the models and associated database data

    python manage.py makemigrations
    python manage.py migrate

4. To set up seed data you can run:

    python manage.py seed

For developers create a local_settings.py file in the pygoat folder that mocks production_setting.py.

If Django does not recognize MySQL after the setup above, try installing mysql-python and migrate again

    pip install mysql-python

Finally run on localhost:8000

    python manage.py runserver

If you want to setup DjanGoat with a PostgreSQL database, checkout the PostgreSQL branch with the following command:

    $ git checkout postgresql-database

The PostgreSQL branch has modified documentation and tests.

To run tests, simply run:

    make test

To run pylint using the provided .pylintrc configuration file:

    make lint

Tutorial information on the various vulnerabilities in this application are here.

The development team.