These tutorials assume you are running Linux or Mac OS. If you are using Windows, I've got nothing for you right now. Sorry
The Ruby on Rails framework is of course built on Ruby. This particular version runs best on version 1.9.3 of Ruby. There are several ways this can work but we will use the Ruby Version Manager. RVM has a great site and if you need more info than what I've provided you can find it available here.
1) To begin the install of RVM, from the command line, type: $ \curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby 2) Then install Ruby 1.9.3 $ rvm install ruby-1.9.3 3) Then clone the repo into a directory of your choosing $ git clone git://github.com/cktricky/railsgoat.git 4) Now change into the directory you just downloaded and accept the .rvmrc file (type: yes) $ cd railsgoat 5) Install the gems $ bundle install 5a) if you get an error about bundler not being installed $ gem install bundler (run step 5 again) 6) Initialize the database $ rake db:setup 7) Start the application $ rails s 8) Browse to the application at http://localhost:3000
This application has very serious vulnerabilities inside of it. Do not bind it to a public interface unless you have limited connectivity to the system hosting this application.
If you have not heard of Pow, it will allow you to browse to a URL name of your choice (minus the TLD always being ".dev"). For example, I want a URL of railsgoat.dev instead of localhost:3000. It is useful stuff and simple to get going. Here is the link to the Pow website Pow Installation 1) Open a terminal, type: $ curl get.pow.cx | sh 2) Create a URL of your choosing (we choose railsgoat.dev). Note that I have railsgoat stored under the ~/tmp directory: $ cd ~/.pow ln -s ~/tmp/railsgoat railsgoat open http://railsgoat.dev 3) You are finished! 3a) Remember, if you make any Rails changes that would normally require a restart of the framework (adding an initializer file, for example), you need to restart Pow. In order to do that, navigate to the railsgoat directory and type: $ powder restart
The following is a list of basic database commands that may be helpful when administering the site. Delete the entire database $ rake db:drop Create the database file $ rake db:create Create the columns and migrate over any database changes $ rake db:migrate Seed the database with data $ rake db:seed Completely rebuild the database (deletes/creates/migrates/seeds) $ rake db:setup
If you throw a large amount of requests at this application, WEBrick just won't do. You'll need a beefier Rack HTTP Server. I'd suggest running Unicorn. Keep in mind, if you are running Pow, you are already good to go. If not running Pow and need the extra power: Start Unicorn $ rvmsudo bundle exec unicorn -p 3000 Stop Unicorn type ctrl + c
Keeping the project up-to-date is fairly easy. Navigate to the railsgoat directory. Type: $ git pull origin master Next, make sure any new gems are updated and installed: $ bundle Restart Pow (if using) $ powder restart
How to use the application
The application is designed in a "choose your own adventure" style. Once the application is up and running, navigate to the tutorials homepage and it will walk you through it.
Essentially, you can either go straight into attacking the application and identifying weaknesses or you can look at each tutorial to get an idea how each vulnerability is introduced, how to fix it, and how to attack it. For those who just want a hint, each tutorial comes with one!