During the process of performing security testing on web applications for both our gaming and non-gaming customers we often come across the same type of vulnerabilities. These range from Cross-site Scripting (XSS), SQL Injection, to authentications issues and others. Often the reason these vulnerabilities exist is due to poor coding and testing practices. After all it is difficult to learn how to write code securely and even more difficult to practice (legally) performing security assessments.In order to raise awareness one of our application security engineers, Kyle Rippee, has created a vulnerable casino web application called PyGoat Casino. Recently, PyGoat has become an official OWASP project.
The purpose is to give both developers and testers a platform for learning how to test applications and how to code securely. PyGoat is written in python and used Django web framework as a platform. It has both traditional web application vulnerabilities (i.e. XSS, SQLi) as well as some specifically related to iGaming, such as weaknesses in the random number generator (RNG). Below is a screen shot of the main page of PyGoat.
PyGoat also has an area where you can see the source code to determine where the mistake was made that caused the vulnerability and allows you to make changes to secure it. Currently, we only have a few vulnerabilities released (XSS and SQLi). However, over the next few months we will continue to add more vulnerabilities and enhance the functionality.