DEV.co
Open-Source Security · OWASP

railsgoat

RailsGoat is an open-source, deliberately vulnerable Rails application maintained by OWASP. It demonstrates real-world security flaws from the OWASP Top 10 and is designed as a hands-on training platform for developers and security professionals to learn how vulnerabilities manifest and how to remediate them.

Source: GitHub — github.com/OWASP/railsgoat
922
GitHub stars
819
Forks
HTML
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryOWASP/railsgoat
OwnerOWASP
Primary languageHTML
LicenseMIT — OSI-approved
Stars922
Forks819
Open issues3
Latest releaserails.5.0.0 (2018-03-10)
Last updated2026-01-28
Sourcehttps://github.com/OWASP/railsgoat

What railsgoat is

RailsGoat is a Ruby on Rails web application (currently Rails 8.0, Ruby 3.4.1) that intentionally embeds OWASP Top 10 vulnerabilities including SQL injection, XSS, authentication bypasses, and insecure direct object references. It includes a training mode with test harnesses and wiki documentation for each vulnerability, plus support for multiple Rails versions via branching and optional MySQL configuration.

Quickstart

Get the railsgoat source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/OWASP/railsgoat.gitcd railsgoat# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Secure coding training and onboarding

Use RailsGoat to train developers on how real security vulnerabilities are introduced into Rails applications, how to recognize them in code review, and how to implement proper fixes before they reach production.

Security testing and penetration testing practice

Provides a safe, legal sandbox to practice exploitation techniques (SQLi, XSS, CSRF, etc.) and develop testing methodology without legal or ethical risk. Ideal for red-team training and security auditor skill-building.

OWASP Top 10 curriculum delivery

Organizations teaching application security can use RailsGoat alongside its linked wiki documentation to deliver structured, hands-on learning on the ten most critical web security risks in a Rails context.

Implementation considerations

  • Requires Ruby 3.4.1, Git, SQLite3, and optional MySQL for full vulnerability coverage. Use GoRails setup guides if team is new to Ruby environments.
  • Training mode (rails training) runs tests that fail on vulnerable code; maintainer mode (RAILSGOAT_MAINTAINER=yes) inverts logic for CI verification. Choose the mode appropriate to your use case.
  • Set up MailCatcher (gem install mailcatcher) if email-based vulnerabilities (e.g., information disclosure) are part of your curriculum.
  • Docker Compose deployment is available; note that Apple Silicon requires Rosetta, and lingering pids may cause startup issues.
  • Multiple Rails version branches (rails_3_2, rails_4_2, rails_5) exist if you need to teach security across different framework versions.

When to avoid it — and what to weigh

  • You need a production-ready application — RailsGoat is deliberately insecure and must never be deployed on a public server or network. It is explicitly designed for isolated training environments only.
  • You require support for frameworks outside Rails — RailsGoat is Rails-specific. If your team primarily uses Django, Spring, ASP.NET, or other frameworks, you will need a different training resource aligned to your tech stack.
  • Your team needs up-to-date Rails 6+ best practices — While the main branch runs Rails 8, the latest release tag is from 2018 (rails.5.0.0). Although recent commits exist, the formal release cycle is dormant; vulnerabilities may not reflect current Rails security idioms.
  • You need vendor SLA or commercial support — RailsGoat is community-maintained open-source under MIT license. There is no commercial support contract, SLA, or guaranteed response time for issues or security updates.

License & commercial use

RailsGoat is licensed under the MIT License (MIT), which is a permissive, OSI-approved open-source license. It grants rights to use, modify, and distribute the software, subject to including the license text and copyright notice.

The MIT License permits commercial use, including incorporation into paid training, consulting, or educational programs. However, there is no warranty, indemnification, or commercial support from the OWASP project. Any commercial use should include independent review of licensing compliance and risk allocation. No patent protection or commercial guarantees are provided.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

RailsGoat is intentionally vulnerable and must be run only in isolated, non-networked or sandboxed environments (local dev machines, air-gapped labs, containerized training clouds). Never expose it on public networks or use production database credentials. Vulnerabilities include SQL injection, XSS, CSRF, authentication bypass, and insecure object references—all exploitable for unauthorized data access or code execution. The application is not a security product; it is a training tool. Learners should be supervised and aware of legal and ethical constraints.

Alternatives to consider

DVWA (Damn Vulnerable Web Application)

PHP/MySQL alternative covering OWASP Top 10; widely used, language-agnostic training platform. Useful if your team is not Rails-focused or prefers PHP environments.

WebGoat (OWASP)

Interactive, browser-based training tool with lessons and progressive challenges. Language-agnostic and structured for guided learning; good if you want a more linear curriculum.

Juice Shop (OWASP)

Modern, Node.js-based vulnerable app with modern web stack (JavaScript, Angular). Better fit if training needs to cover contemporary frontend and API security.

Software development agency

Build on railsgoat with DEV.co software developers

Set up RailsGoat in your isolated lab environment and start exploring real-world vulnerabilities. Pair it with Devco's application security and web development expertise to embed secure coding practices into your team's workflow.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

railsgoat FAQ

Can I use RailsGoat in a production environment?
No. RailsGoat is deliberately vulnerable and must only be deployed on isolated, non-networked machines or sand-boxed lab environments. Deploying to public networks or production is unsafe and will expose your infrastructure to the vulnerabilities intentionally embedded in the application.
Which Rails versions are supported?
The main branch targets Rails 8.0 with Ruby 3.4.1. Legacy branches exist for Rails 3.2, 4.2, and 5.x. Check out the appropriate branch to match your training curriculum. Note: the latest release tag is from 2018; use the main branch for current Rails versions.
Is there commercial support or an SLA?
No. RailsGoat is open-source, community-maintained under the MIT License. Support is available via OWASP Slack, GitHub issues, and the wiki. There is no commercial support contract, SLA, or guaranteed response time. For commercial training, consider engaging a security training vendor.
How do I set up RailsGoat for a team of trainees?
Use Docker Compose (docker-compose up) for rapid, consistent deployment across team machines. Alternatively, follow the quick-start guide (clone, bundle install, rails db:setup, rails server). Ensure each trainee has an isolated instance and understands the vulnerabilities are intentional. Use training mode (rails training) to run tests that identify vulnerabilities.

Software development & web development with DEV.co

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If railsgoat is part of your open-source security roadmap, our team can implement, customize, migrate, and maintain it.

Ready to Build Secure Rails Applications?

Set up RailsGoat in your isolated lab environment and start exploring real-world vulnerabilities. Pair it with Devco's application security and web development expertise to embed secure coding practices into your team's workflow.