
An intentionally vulnerable ASP.NET Core web application for learning and practicing Web Application Security.
AspGoat is an intentionally vulnerable ASP.NET Core application that helps Security Engineers and Developers analyze and mitigate common web application vulnerabilities. It includes the OWASP Top 10 and beyond, providing hands-on Application Security challenges.
⚠️ Disclaimer: This project is for educational purposes only. Do not deploy to production environments.

docker pull sohamburger/aspgoat:latest
docker run --rm -p 8000:8000 sohamburger/aspgoat:latest
http://localhost:8000
Download and install the .NET SDK 8.0 (LTS) from:
👉 .NET-Download
(The SDK includes the runtime, so this is all you need to build and run AspGoat from source.)
git clone https://github.com/Soham7-dev/AspGoat.git
cd AspGoat
dotnet restore
dotnet run
http://localhost:5073
Thanks goes to these wonderful people ✨
Made with contrib.rocks.
The default username for AspGoat is admin and the default password is admin123. The 🐞 Unrestricted File Upload Lab can break the application. A Hard Reset feature is currently under development which will reset the application (not yet released). As of now, if you break the application during exploitation of the Lab, your only option is cloning the Project again and restart the application. The Client Side JavaScript is obfuscated due to obvious cheating possibilities for Secure Coding challenges. However, there are several tools available for de-obfuscating the JavaScript code and retrieve the clean code again but that is not the core purpose of this Project.
$ claude mcp add AspGoat \
-- python -m otcore.mcp_server <graph>