diff --git a/.ruby-version b/.ruby-version
index 2714f53..7ee07b8 100644
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-2.6.4
+2.7.0-preview1
diff --git a/.travis.yml b/.travis.yml
index ef9b8cf..eabb9f5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,7 @@
 language: ruby
 rvm:
   - "2.6.4"
+  - "2.7.0-preview1"
 
 before_install:
   - "phantomjs --version"
diff --git a/Dockerfile b/Dockerfile
index fa65553..5d3f7c0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ruby:2.6.2
+FROM ruby:2.7.0-preview1
 RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs
 RUN mkdir /myapp
 WORKDIR /myapp
diff --git a/Gemfile b/Gemfile
index 4927f06..598addf 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,9 +2,9 @@
 source "https://rubygems.org"
 
 #don't upgrade
-gem "rails", "5.1.7"
+gem "rails", "6.0.0"
 
-ruby "2.6.4"
+ruby "2.7.0"
 
 gem "aruba"
 gem "bcrypt"
diff --git a/Gemfile.lock b/Gemfile.lock
index db56c29..ef70067 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,46 +1,63 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.1.7)
-      actionpack (= 5.1.7)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
       nio4r (~> 2.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
+      mail (>= 2.7.1)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.1.7)
-      actionview (= 5.1.7)
-      activesupport (= 5.1.7)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.1.7)
-      activesupport (= 5.1.7)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
+      nokogiri (>= 1.8.5)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.1.7)
-      activesupport (= 5.1.7)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
       globalid (>= 0.3.6)
-    activemodel (5.1.7)
-      activesupport (= 5.1.7)
-    activerecord (5.1.7)
-      activemodel (= 5.1.7)
-      activesupport (= 5.1.7)
-      arel (~> 8.0)
-    activesupport (5.1.7)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      marcel (~> 0.3.1)
+    activesupport (6.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
+      zeitwerk (~> 2.1, >= 2.1.8)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    arel (8.0.0)
     aruba (0.14.11)
       childprocess (>= 0.6.3, < 3.0.0)
       contracts (~> 0.9)
@@ -73,9 +90,9 @@ GEM
       rake (< 13.0)
     cliver (0.3.2)
     coderay (1.1.2)
-    coffee-rails (4.2.2)
+    coffee-rails (5.0.0)
       coffee-script (>= 2.2.0)
-      railties (>= 4.0.0)
+      railties (>= 5.2.0)
     coffee-script (2.4.1)
       coffee-script-source
       execjs
@@ -103,6 +120,7 @@ GEM
     debug_inspector (0.0.3)
     diff-lcs (1.3)
     docile (1.3.2)
+    dotenv (0.7.0)
     em-websocket (0.5.1)
       eventmachine (>= 0.12.9)
       http_parser.rb (~> 0.6.0)
@@ -110,8 +128,9 @@ GEM
     eventmachine (1.2.7)
     execjs (2.7.0)
     ffi (1.11.1)
-    foreman (0.85.0)
-      thor (~> 0.19.1)
+    foreman (0.64.0)
+      dotenv (~> 0.7.0)
+      thor (>= 0.13.6)
     formatador (0.2.5)
     gherkin (5.1.0)
     globalid (0.4.2)
@@ -165,7 +184,10 @@ GEM
     lumberjack (1.0.13)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
     method_source (0.9.2)
+    mimemagic (0.3.3)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.11.3)
@@ -202,17 +224,20 @@ GEM
       rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.1.7)
-      actioncable (= 5.1.7)
-      actionmailer (= 5.1.7)
-      actionpack (= 5.1.7)
-      actionview (= 5.1.7)
-      activejob (= 5.1.7)
-      activemodel (= 5.1.7)
-      activerecord (= 5.1.7)
-      activesupport (= 5.1.7)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       bundler (>= 1.3.0)
-      railties (= 5.1.7)
+      railties (= 6.0.0)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
@@ -220,12 +245,12 @@ GEM
     rails-html-sanitizer (1.2.0)
       loofah (~> 2.2, >= 2.2.2)
     rails-perftest (0.0.7)
-    railties (5.1.7)
-      actionpack (= 5.1.7)
-      activesupport (= 5.1.7)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
+      thor (>= 0.20.3, < 2.0)
     rainbow (3.0.0)
     raindrops (0.19.0)
     rake (12.3.3)
@@ -300,7 +325,7 @@ GEM
     therubyracer (0.12.3)
       libv8 (~> 3.16.14.15)
       ref
-    thor (0.19.4)
+    thor (0.20.3)
     thread_safe (0.3.6)
     tilt (2.0.9)
     travis-lint (2.0.0)
@@ -316,11 +341,12 @@ GEM
     unicorn (5.5.1)
       kgio (~> 2.6)
       raindrops (~> 0.7)
-    websocket-driver (0.6.5)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.4)
     xpath (3.2.0)
       nokogiri (~> 1.8)
+    zeitwerk (2.1.10)
 
 PLATFORMS
   ruby
@@ -350,7 +376,7 @@ DEPENDENCIES
   pry-rails
   puma
   rack-livereload
-  rails (= 5.1.7)
+  rails (= 6.0.0)
   rails-perftest
   rake
   rb-fsevent
@@ -369,7 +395,7 @@ DEPENDENCIES
   unicorn
 
 RUBY VERSION
-   ruby 2.6.4p104
+   ruby 2.7.0p-1
 
 BUNDLED WITH
-   1.17.3
+   2.1.0.pre.1
diff --git a/README.md b/README.md
index cc3ae38..e3c1556 100755
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat)
 
-RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
+RailsGoat is a vulnerable version of the Ruby on Rails Framework from versions 3 to 6. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
 
 ## Support
 
@@ -18,7 +18,7 @@ After installing the above software, clone this repo:
 $ git clone git@github.com:OWASP/railsgoat.git
 ```
 
-**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 5.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:
+**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 6.** Otherwise, if you wish to use the Rails 3 or 4 versions, you'll need to switch branches:
 
 ```bash
 $ cd railsgoat
@@ -73,7 +73,7 @@ Note: if your container exits with an error, it may be because a server is alrea
 ```
 A server is already running. Check /myapp/tmp/pids/server.pid.
 => Booting Thin
-=> Rails 5.0.1 application starting in development on
+=> Rails 6.0.0 application starting in development on
 http://0.0.0.0:3000
 => Run `rails server -h` for more startup options
 => Ctrl-C to shutdown server
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 53615f7..8e1d7a0 100755
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -34,7 +34,7 @@ class AdminController < ApplicationController
   def update_user
     user = User.find_by_id(params[:admin_id])
     if user
-      user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") })
+      user.update(params[:user].reject { |k| k == ("password" || "password_confirmation") })
       pass = params[:user][:password]
       user.password = pass if !(pass.blank?)
       user.save!
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index cc04a07..3a5e061 100755
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -29,7 +29,7 @@ class UsersController < ApplicationController
     user = User.where("id = '#{params[:user][:id]}'")[0]
 
     if user
-      user.update_attributes(user_params_without_password)
+      user.update(user_params_without_password)
       if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation])
         user.password = params[:user][:password]
       end
diff --git a/config/application.rb b/config/application.rb
index b27f634..ec6f9a8 100755
--- a/config/application.rb
+++ b/config/application.rb
@@ -55,5 +55,7 @@ module Railsgoat
     config.assets.version = "1.0"
 
     I18n.config.enforce_available_locales = false
+
+    config.action_dispatch.return_only_media_type_on_content_type = false
   end
 end
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index bceabf3..ea411bf 100755
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -5,5 +5,4 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Railsgoat::Application.config.secret_token = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"
 Railsgoat::Application.config.secret_key_base = "2f1d90a26236c3245d96f5606c201a780dc9ca687e5ed82b45e211bb5dc84c1870f61ca9e002dad5dd8a149c9792d8f07f31a9575065cca064bd6af44f8750e4"
diff --git a/spec/vulnerabilities/sensitive_data_exposure.rb b/spec/vulnerabilities/sensitive_data_exposure.rb
index 08cbaf3..9d9380b 100644
--- a/spec/vulnerabilities/sensitive_data_exposure.rb
+++ b/spec/vulnerabilities/sensitive_data_exposure.rb
@@ -7,7 +7,7 @@ feature "sensitive data exposure" do
 
   before do
     UserFixture.reset_all_users
-    normal_user.work_info.update_attribute(:SSN, user_ssn)
+    normal_user.work_info.update(:SSN, user_ssn)
 
     pending unless verifying_fixed?
   end
diff --git a/spec/vulnerabilities/sql_injection_spec.rb b/spec/vulnerabilities/sql_injection_spec.rb
index dd22d32..3196975 100644
--- a/spec/vulnerabilities/sql_injection_spec.rb
+++ b/spec/vulnerabilities/sql_injection_spec.rb
@@ -22,7 +22,7 @@ feature "sql injection" do
       fill_in "user_password_confirmation", with: "hacketyhack"
 
       # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_id']", visible: false).set "8' OR 1 == 1) --"
     end
     click_on "Submit"