Getting Started

Let's do this!

Getting Started

Where to begin

Support Disclaimer

These tutorials assume you are running Linux or Mac OS. If you are using Windows, I've got nothing for you right now. Sorry

Language

The Ruby on Rails framework is of course built on Ruby. This particular version runs best on version 1.9.3 of Ruby. There are several ways this can work but we will use the Ruby Version Manager.
RVM has a great site and if you need more info than what I've provided you can find it available here.

1) To begin the install of RVM, from the command line, type:
$ \curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby

2) Then install Ruby 1.9.3
$ rvm install ruby-1.9.3

3) Then clone the repo into a directory of your choosing
$ git clone git://github.com/cktricky/railsgoat.git

4) Now change into the directory you just downloaded and accept the .rvmrc file (type: yes)
$ cd railsgoat

5) Install the gems
$ bundle install

5a) if you get an error about bundler not being installed
$ gem install bundler (run step 5 again)

6) Initialize the database
$ rake db:setup

7) Start the application
$ rails s

8) Browse to the application at http://localhost:3000

Warning

This application has very serious vulnerabilities inside of it. Do not bind it to a public interface unless you have limited connectivity to the system hosting this application.

Pow

If you have not heard of Pow, it will allow you to browse to a URL name of your choice (minus the TLD always being ".dev"). For example, I want a URL of railsgoat.dev instead of localhost:3000. It is useful stuff and simple to get going. Here is the link to the Pow website

Pow Installation
1) Open a terminal, type:
$ curl get.pow.cx | sh

2) Create a URL of your choosing (we choose railsgoat.dev). Note that I have railsgoat stored under the ~/tmp directory:
$ cd ~/.pow
ln -s ~/tmp/railsgoat railsgoat
open http://railsgoat.dev


3) You are finished!

3a) Remember, if you make any Rails changes that would normally require a restart of the framework (adding an initializer file, for example), you need to restart Pow. In order to do that, navigate to the railsgoat directory and type:
$ powder restart

Database Commands

The following is a list of basic database commands that may be helpful when administering the site.

Delete the entire database
$ rake db:drop

Create the database file
$ rake db:create

Create the columns and migrate over any database changes
$ rake db:migrate

Seed the database with data
$ rake db:seed

Completely rebuild the database (deletes/creates/migrates/seeds)
$ rake db:setup

Unicorn

If you throw a large amount of requests at this application, WEBrick just won't do. You'll need a beefier Rack HTTP Server. I'd suggest running Unicorn. Keep in mind, if you are running Pow, you are already good to go. If not running Pow and need the extra power:

Start Unicorn
$ rvmsudo bundle exec unicorn -p 3000

Stop Unicorn
type ctrl + c

Updating code

Keeping the project up-to-date is fairly easy. Navigate to the railsgoat directory.

Type:
$ git pull origin master

Next, make sure any new gems are updated and installed:
$ bundle

Restart Pow (if using)
$ powder restart

How to use the application

The application is designed in a "choose your own adventure" style. Once the application is up and running, navigate to the tutorials homepage and it will walk you through it.

Essentially, you can either go straight into attacking the application and identifying weaknesses or you can look at each tutorial to get an idea how each vulnerability is introduced, how to fix it, and how to attack it. For those who just want a hint, each tutorial comes with one!