Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Soham7-dev/AspGoat

BranchesTags

Repository files navigation

AspGoat : A Damn Vulnerable ASP.NET Web Application



AspGoat Logo

🐐 AspGoat

An intentionally vulnerable ASP.NET Core web application for learning and practicing Web Application Security.

license stars forks ci-status docker pulls release OWASP

---

πŸ“– About AspGoat

AspGoat is an intentionally vulnerable ASP.NET Core application that helps Security Engineers and Developers analyze and mitigate common web application vulnerabilities. It includes the OWASP Top 10 and beyond, providing hands-on Application Security challenges.

⚠️ Disclaimer: This project is for educational purposes only. Do not deploy to production environments.

✨ Features

  • 🐞 Intentionally vulnerable ASP.NET Core MVC app
  • πŸ“š Hands-on labs for:
    • 🐞 Cross-Site Scripting (XSS)
    • 🐞 Cross-Site Request Forgery (CSRF)
    • 🐞 SQL Injection (SQLi)
    • 🐞 XML External Entity (XXE)
    • 🐞 Local File Inclusion (LFI)
    • 🐞 Remote Code Execution (RCE)
    • 🐞 Unrestricted File Upload
    • 🐞 Information Disclosure
    • 🐞 Broken Authentication
    • 🐞 Server-Side Request Forgery (SSRF)
    • 🐞 Insecure Direct Object Reference (IDOR)
    • 🐞 Insecure Deserialization
    • 🐞 Command Injection
    • 🐞 Prototype Pollution
    • 🐞 Cache Poisoning
    • 🐞 Server Side Template Injection (SSTI)
    • πŸ›‘οΈ Secure vs Insecure coding snippets
    • 🐳 Ready-to-run Docker setup
  • πŸ€– AI / LLM Red-Teaming labs covering:
    • 🐞 Prompt Injection
    • 🐞 Excessive Agency
    • 🐞 Insecure Output Handling

πŸ•ΉοΈ Demo

Demo

πŸͺ› Installation

1. Using Docker (recommended)

Pull the image

docker pull sohamburger/aspgoat:latest

Run the container

docker run --rm -p 8000:8000 sohamburger/aspgoat:latest

Access the app

http://localhost:8000

2. Using .NET SDK

Download and install the .NET SDK 8.0 (LTS) from:
πŸ‘‰ .NET-Download

(The SDK includes the runtime, so this is all you need to build and run AspGoat from source.)

Clone the repository

git clone https://github.com/Soham7-dev/AspGoat.git
cd AspGoat

Restore Dependencies

dotnet restore

Run the app

dotnet run

Access the app

http://localhost:5073

πŸ§ͺ Overview

SQLi

InDe

FileUp

SQLi

SQLi

SQLi

πŸ‘₯ Contributors

Thanks goes to these wonderful people ✨

Made with contrib.rocks.

πŸ“ NOTE

The default username for AspGoat is admin and the default password is admin123. The 🐞 Unrestricted File Upload Lab can break the application. A Hard Reset feature is currently under development which will reset the application (not yet released). As of now, if you break the application during exploitation of the Lab, your only option is cloning the Project again and restart the application. The Client Side JavaScript is obfuscated due to obvious cheating possibilities for Secure Coding challenges. However, there are several tools available for de-obfuscating the JavaScript code and retrieve the clean code again but that is not the core purpose of this Project.

About

AspGoat is an intentionally vulnerable ASP.NET Core application for learning and practicing web application security.

owasp.org/www-project-aspgoat/

Topics

docker open-source csharp dotnet penetration-testing bug-bounty asp-net-core appsec hacktoberfest owasp-top-10 contributions-welcome webapplicationhacking good-first-issue ai-security applicationsecurity productsecurity ai-red-team prompt-injection llm-security ai-red-teaming

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing
Activity

Stars

84 stars

Watchers

1 watching

Forks

53 forks
Report repository

Releases 4

v2.0.0 Latest
Sep 25, 2025
+ 3 releases

Packages

No packages published

Contributors 31
+ 17 contributors

Languages