Skip to content

Contrast-Security-OSS/demo-railsgoat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
app
app
 
 
config
config
 
 
db
db
 
 
doc
doc
 
 
lib
lib
 
 
log
log
 
 
public
public
 
 
script
script
 
 
spec
spec
 
 
vendor/assets
vendor/assets
 
 
.gitignore
.gitignore
 
 
.overcommit.yml
.overcommit.yml
 
 
.powrc
.powrc
 
 
.rspec
.rspec
 
 
.rubocop.yml
.rubocop.yml
 
 
.ruby-gemset
.ruby-gemset
 
 
.ruby-version
.ruby-version
 
 
1-Build-Docker-Image.sh
1-Build-Docker-Image.sh
 
 
2-Deploy-Docker-Image-To-Docker-Hub.sh
2-Deploy-Docker-Image-To-Docker-Hub.sh
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
Gemfile
Gemfile
 
 
Gemfile.lock
Gemfile.lock
 
 
Guardfile
Guardfile
 
 
ISSUE_TEMPLATE.md
ISSUE_TEMPLATE.md
 
 
Jenkinsfile
Jenkinsfile
 
 
LICENSE.md
LICENSE.md
 
 
Procfile
Procfile
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 
config.ru
config.ru
 
 
entrypoint.sh
entrypoint.sh
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
parseyaml.py
parseyaml.py
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

RailsGoat: A deliberately insecure Ruby web application

This is a Ruby demo application, based on https://github.com/OWASP/railsgoat.

Warning: The computer running this application will be vulnerable to attacks, please take appropriate precautions.

Running standalone

You can run RailGoat locally on any machine with Ruby and Rails 5.x installed.

  1. Place a contrast_security.yaml file into the application's root folder.

  2. Install the Contrast agent using:

  bundle add contrast-agent
  bundle install
  1. Initialize the database:
  rails db:setup
  1. Start the Thin web server:
  rails server
  1. Browse the application at http://localhost:3000

Running in Docker

You can run RailsGoat within a Docker container, tested on OSX. The agent is added automatically during the Docker build process.

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Build the RailsGoat container image using ./1-Build-Docker-Image.sh
  3. Run the container using
docker run \
  -v $PWD/contrast_security.yaml:/myapp/contrast_security.yaml \
  -e CONTRAST__APPLICATION__NAME=railsgoat \
  -p 3000:3000 railsgoat:latest
  1. Browse the application at http://localhost:3000

Running in Azure (Azure App Service):

Pre-Requisites

  1. Place a contrast_security.yaml file into the application's root folder.
  2. Install Terraform from here: https://www.terraform.io/downloads.html.
  3. Install PyYAML using pip install PyYAML.
  4. Install the Azure cli tools using brew update && brew install azure-cli.
  5. Log into Azure to make sure you cache your credentials using az login.
  6. Edit the variables.tf file (or add a terraform.tfvars) to add your initials, preferred Azure location, app name, server name and environment.
  7. Run terraform init to download the required plugins.
  8. Run terraform plan and check the output for errors.
  9. Run terraform apply to build the infrastructure that you need in Azure, this will output the web address for the application.
  10. Run terraform destroy when you would like to stop the app service and release the resources.

Running automated tests

RailsGoat includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install PhantomJS (version 2.1.1 has been tested in Dev and on Travis CI), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following task:

rails training

For Docker run:

docker run \
  -v $PWD/contrast_security.yaml:/myapp/contrast_security.yaml \
  -e CONTRAST__APPLICATION__NAME=railsgoat \
  -e TEST=true \
  -p 3000:3000 railsgoat:latest

Updating the Docker Image

You can re-build the docker image (used by Terraform) by running two scripts in order:

  • 1-Build-Docker-Image.sh
  • 2-Deploy-Docker-Image-To-Docker-Hub.sh

License

The MIT License (MIT)

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

8 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages