railsgoat
RailsGoat is an open-source, deliberately vulnerable Rails application maintained by OWASP. It demonstrates real-world security flaws from the OWASP Top 10 and is designed as a hands-on training platform for developers and security professionals to learn how vulnerabilities manifest and how to remediate them.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | OWASP/railsgoat |
| Owner | OWASP |
| Primary language | HTML |
| License | MIT — OSI-approved |
| Stars | 922 |
| Forks | 819 |
| Open issues | 3 |
| Latest release | rails.5.0.0 (2018-03-10) |
| Last updated | 2026-01-28 |
| Source | https://github.com/OWASP/railsgoat |
What railsgoat is
RailsGoat is a Ruby on Rails web application (currently Rails 8.0, Ruby 3.4.1) that intentionally embeds OWASP Top 10 vulnerabilities including SQL injection, XSS, authentication bypasses, and insecure direct object references. It includes a training mode with test harnesses and wiki documentation for each vulnerability, plus support for multiple Rails versions via branching and optional MySQL configuration.
Get the railsgoat source
Clone the repository and explore it locally.
git clone https://github.com/OWASP/railsgoat.gitcd railsgoat# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Ruby 3.4.1, Git, SQLite3, and optional MySQL for full vulnerability coverage. Use GoRails setup guides if team is new to Ruby environments.
- Training mode (rails training) runs tests that fail on vulnerable code; maintainer mode (RAILSGOAT_MAINTAINER=yes) inverts logic for CI verification. Choose the mode appropriate to your use case.
- Set up MailCatcher (gem install mailcatcher) if email-based vulnerabilities (e.g., information disclosure) are part of your curriculum.
- Docker Compose deployment is available; note that Apple Silicon requires Rosetta, and lingering pids may cause startup issues.
- Multiple Rails version branches (rails_3_2, rails_4_2, rails_5) exist if you need to teach security across different framework versions.
When to avoid it — and what to weigh
- You need a production-ready application — RailsGoat is deliberately insecure and must never be deployed on a public server or network. It is explicitly designed for isolated training environments only.
- You require support for frameworks outside Rails — RailsGoat is Rails-specific. If your team primarily uses Django, Spring, ASP.NET, or other frameworks, you will need a different training resource aligned to your tech stack.
- Your team needs up-to-date Rails 6+ best practices — While the main branch runs Rails 8, the latest release tag is from 2018 (rails.5.0.0). Although recent commits exist, the formal release cycle is dormant; vulnerabilities may not reflect current Rails security idioms.
- You need vendor SLA or commercial support — RailsGoat is community-maintained open-source under MIT license. There is no commercial support contract, SLA, or guaranteed response time for issues or security updates.
License & commercial use
RailsGoat is licensed under the MIT License (MIT), which is a permissive, OSI-approved open-source license. It grants rights to use, modify, and distribute the software, subject to including the license text and copyright notice.
The MIT License permits commercial use, including incorporation into paid training, consulting, or educational programs. However, there is no warranty, indemnification, or commercial support from the OWASP project. Any commercial use should include independent review of licensing compliance and risk allocation. No patent protection or commercial guarantees are provided.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
RailsGoat is intentionally vulnerable and must be run only in isolated, non-networked or sandboxed environments (local dev machines, air-gapped labs, containerized training clouds). Never expose it on public networks or use production database credentials. Vulnerabilities include SQL injection, XSS, CSRF, authentication bypass, and insecure object references—all exploitable for unauthorized data access or code execution. The application is not a security product; it is a training tool. Learners should be supervised and aware of legal and ethical constraints.
Alternatives to consider
DVWA (Damn Vulnerable Web Application)
PHP/MySQL alternative covering OWASP Top 10; widely used, language-agnostic training platform. Useful if your team is not Rails-focused or prefers PHP environments.
WebGoat (OWASP)
Interactive, browser-based training tool with lessons and progressive challenges. Language-agnostic and structured for guided learning; good if you want a more linear curriculum.
Juice Shop (OWASP)
Modern, Node.js-based vulnerable app with modern web stack (JavaScript, Angular). Better fit if training needs to cover contemporary frontend and API security.
Build on railsgoat with DEV.co software developers
Set up RailsGoat in your isolated lab environment and start exploring real-world vulnerabilities. Pair it with Devco's application security and web development expertise to embed secure coding practices into your team's workflow.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
railsgoat FAQ
Can I use RailsGoat in a production environment?
Which Rails versions are supported?
Is there commercial support or an SLA?
How do I set up RailsGoat for a team of trainees?
Software development & web development with DEV.co
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If railsgoat is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.
Ready to Build Secure Rails Applications?
Set up RailsGoat in your isolated lab environment and start exploring real-world vulnerabilities. Pair it with Devco's application security and web development expertise to embed secure coding practices into your team's workflow.