An intentionally vulnerable ASP.NET Core web application for learning and practicing Web Application Security.

AspGoat is an intentionally vulnerable ASP.NET Core application that helps Security Engineers and Developers analyze and mitigate common web application vulnerabilities. It includes the OWASP Top 10 and beyond, providing hands-on Application Security challenges.

⚠️ Disclaimer: This project is for educational purposes only. Do not deploy to production environments.

• 🐞 Intentionally vulnerable ASP.NET Core MVC app
• 📚 Hands-on labs for:
  • 🐞 Cross-Site Scripting (XSS)
  • 🐞 Cross-Site Request Forgery (CSRF)
  • 🐞 SQL Injection (SQLi)
  • 🐞 XML External Entity (XXE)
  • 🐞 Local File Inclusion (LFI)
  • 🐞 Remote Code Execution (RCE)
  • 🐞 Unrestricted File Upload
  • 🐞 Information Disclosure
  • 🐞 Broken Authentication
  • 🐞 Server-Side Request Forgery (SSRF)
  • 🐞 Insecure Direct Object Reference (IDOR)
  • 🐞 Insecure Deserialization
  • 🐞 Command Injection
  • 🐞 Prototype Pollution
  • 🐞 Cache Poisoning
  • 🐞 Server Side Template Injection (SSTI)
  • 🛡️ Secure vs Insecure coding snippets
  • 🐳 Ready-to-run Docker setup
• 🤖 AI / LLM Red-Teaming labs covering:
  • 🐞 Prompt Injection
  • 🐞 Excessive Agency
  • 🐞 Insecure Output Handling

docker pull sohamburger/aspgoat:latest

docker run --rm -p 8000:8000 sohamburger/aspgoat:latest

http://localhost:8000

Download and install the .NET SDK 8.0 (LTS) from:
👉 .NET-Download

(The SDK includes the runtime, so this is all you need to build and run AspGoat from source.)

git clone https://github.com/Soham7-dev/AspGoat.git

cd AspGoat

dotnet restore

dotnet run

http://localhost:5073

Thanks goes to these wonderful people ✨

Made with contrib.rocks.

The default username for AspGoat is admin and the default password is admin123. The 🐞 Unrestricted File Upload Lab can break the application. A Hard Reset feature is currently under development which will reset the application (not yet released). As of now, if you break the application during exploitation of the Lab, your only option is cloning the Project again and restart the application. The Client Side JavaScript is obfuscated due to obvious cheating possibilities for Secure Coding challenges. However, there are several tools available for de-obfuscating the JavaScript code and retrieve the clean code again but that is not the core purpose of this Project.