RailsGoat - Getting Started

Where to Begin

Platform Support

RailsGoat works on Linux, Mac OS, and Windows. For Windows users, we recommend using WSL2 (Windows Subsystem for Linux) for the best Rails development experience.

Windows Users: Before proceeding, install WSL2 with Ubuntu. Once WSL2 is installed, open your Ubuntu terminal and follow the Linux/Mac instructions below.

Ruby Version Management

RailsGoat is built with Ruby on Rails 8.0 and requires Ruby 3.3.6. We recommend using rbenv to manage your Ruby versions, though RVM is also supported.

Installation Steps

1) Install rbenv and Ruby

Install rbenv and ruby-build:

On macOS (using Homebrew):

$ brew install rbenv ruby-build

On Linux or WSL2:

$ curl -fsSL https://github.com/rbenv/rbenv-installer/raw/HEAD/bin/rbenv-installer | bash

Add rbenv to your shell (add to ~/.bashrc or ~/.zshrc):

$ echo 'eval "$(rbenv init - bash)"' >> ~/.bashrc
$ source ~/.bashrc

Install Ruby 3.3.6:

$ rbenv install 3.3.6
$ rbenv global 3.3.6

Verify installation:

$ ruby -v
# Should show: ruby 3.3.6

Alternative: Using RVM
If you prefer RVM, you can install it with: curl -sSL https://get.rvm.io | bash -s stable
Then install Ruby: rvm install 3.3.6 && rvm use 3.3.6 --default

2) Clone the repository

Clone RailsGoat from GitHub:

$ git clone https://github.com/OWASP/railsgoat.git
$ cd railsgoat

3) Install Bundler and dependencies

Install the Bundler gem if you don't have it:

$ gem install bundler

Install all application dependencies:

$ bundle install

4) Setup the database

Initialize the database with seed data:

$ bin/rails db:setup

5) Start the application

Launch the Rails server:

$ bin/rails server

6) Browse to the application

Open your browser and navigate to: http://localhost:3000

Modern Rails Tip: Use bin/rails instead of just rails to ensure you're running the correct version bundled with your application!

Windows WSL2 Tip: Your Windows files are accessible from WSL2 at /mnt/c/. You can also access your WSL files from Windows Explorer by typing \\wsl$ in the address bar!

Warning: This application has very serious vulnerabilities inside of it. Do not bind it to a public interface unless you have limited connectivity to the system hosting this application.

Running the Server

Rails 8.0 comes with Puma as the default web server, which is production-ready and handles concurrent requests efficiently.

Start the server

$ bin/rails server

Start on a different port

$ bin/rails server -p 4000

Run in the background

$ bin/rails server -d

Stop a background server

$ kill -9 $(cat tmp/pids/server.pid)

Database Commands

Here are the essential database commands for managing RailsGoat's database:

Delete the entire database

$ bin/rails db:drop

Create the database

$ bin/rails db:create

Run migrations

$ bin/rails db:migrate

Seed the database with data

$ bin/rails db:seed

Completely rebuild the database (drop/create/migrate/seed)

$ bin/rails db:reset

Reset and re-seed (keeps structure, reloads data)

$ bin/rails db:seed:replant

Development Console

Access the Rails console to interact with your application directly:

$ bin/rails console

Run database queries, test models, and debug issues interactively:

# Example: Find all users User.all # Example: Create a test user User.create(email: '[email protected]', first_name: 'Test', last_name: 'User')

Updating Code

Keep your local copy up-to-date with the latest changes from the repository.

Pull latest changes from the main branch

$ git pull origin master

Update dependencies

$ bundle install

Apply any new database migrations

$ bin/rails db:migrate

Restart the server

$ bin/rails restart

Legacy Note: Older versions of this documentation mentioned Pow and Unicorn. Modern Rails uses Puma by default, which is more performant and easier to configure. If you're interested in legacy server options, they're still available but not recommended for new setups.

How to Use the Application

The application is designed in a "choose your own adventure" style. Once the application is up and running, navigate to the tutorials homepage and it will walk you through it.

Essentially, you can either go straight into attacking the application and identifying weaknesses or you can look at each tutorial to get an idea how each vulnerability is introduced, how to fix it, and how to attack it. For those who just want a hint, each tutorial comes with one!

Ready to Start?

Launch the application and navigate to the tutorials section to begin your security training journey!

Open Application