A Python-based web platform for education in web vulnerabilities. Inspired by WebGoat. https://github.com/WebGoat/WebGoat
Run the following commands to install the dependancies for Flask
cd app
pip3 install -r requirements.txt --userUsers should also have a Man in the Middle proxy like OWASP-ZAP or BurpSuite, though not every lesson will require a proxy to complete
To start PyGoat in any Environment run the following command from the app directory:
python run.pyThen navigate to this address in the browser:
http://localhost:5000/Note* This requires an installation of Python 3.7+ in the host environment
Users can configure PyGoat to work with a Proxy Application like ZAP or BurpSuite. It is recommended that new users instead use the simpler method with ZAP or Burp and launch their browser from within the application.
This is only confirmed to work in the Linux Ubuntu Environment. In windows and IOS it is recommended that you launch the browser from ZAP or BurpSuite
Linux environment with Proxy:
chmod +x run.sh
./run.sh-
If you run using this method without using a proxy, the python requests module will throw some nasty errors. To get around this, if you plan on not running a proxy, use run_no_proxy.sh.
-
A web proxy like Burp or Zap should work just fine with PyGoat, but if you aren't seeing all the requests, you will have to export the certificate and convert it to a pem file
-
Navigate to proxy->options->import/export ca certificate
-
Under export, click 'certificate in DER format' and click next
-
choose a location and name for your file and click next to export the certificate
-
openssl x509 -inform der -in <new_certificate_name> -out <your_exported_certificate>- e.g.
openssl x509 -inform der -in certificate.cer -out certificate.pem
- e.g.
* edit run.sh / run.py depending on the user's chosen launch path
* set "certificate_path" to the absolute path of your newly converted certificate
* set "http_proxy" to the address and port for your proxy
PyGoat uses a relatively simple stack of technology. The backend server uses the Python Flask library and a simple SQLite3 database. The frontend client uses React and a Store class to manage state. Custom lessons and custom navigation pages can be dynamically generated by using the jinja2 template engine that is integrated with flask. Devs can also just use plain HTML to write-up and alter lessons and navigation pages.
-
The Combined Client-Server flow-chart detailing how the various parts of the application work together https://drive.google.com/file/d/1UlHXSOOaUFea-V-wjzmNySFG2dzj4mLW/view?usp=sharing
-
File architecture and descriptions of individual files can be found in architecture.txt in the base directory
-
A Figma design for the PyGoat client called PyGoatUI.fig that details the UI specifications can be found in the base directory
-
Read the README.md located within the app/static directory for information on how the React client and it's Component-Based architecture works. Do not edit client js files because changes will be overwritten whenever you start up the babel transpiler, instead any changes should be made to the parent jsx file. details on locations found in the app/static README
- PyGoat uses yaml files to define its lessons. See this wiki page for more details.
- Developers making changes to lessons must be sure to delete the pygoat.db file that gets created in the app directory for the lesson changes to take effect.
The first version of PyGoat was created by a team of software enginerring students at Colorado Mesa University supervised by Dr. Ram Banet. Original team Members included Lucas Walgren (lawalgren@mavs.coloradomesa.edu), Sean Apsey (ssapsey@mavs.coloradomesa.edu), and Taylor Bradshaw (tcbradshaw@mavs.coloradomesa.edu)