MCPcopy Index your code
hub / github.com/Soham7-dev/AspGoat

github.com/Soham7-dev/AspGoat @v2.0.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.0.0 ↗ · + Follow
290 symbols 475 edges 33 files 0 documented · 0%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

AspGoat : A Damn Vulnerable ASP.NET Web Application

AspGoat Logo

🐐 AspGoat

An intentionally vulnerable ASP.NET Core web application for learning and practicing Web Application Security.

license stars forks ci-status docker pulls


📖 About AspGoat

AspGoat is an intentionally vulnerable ASP.NET Core application that helps Security Engineers and Developers analyze and mitigate common web application vulnerabilities. It includes the OWASP Top 10 and beyond, providing hands-on Application Security challenges.

⚠️ Disclaimer: This project is for educational purposes only. Do not deploy to production environments.


✨ Features

  • 🐞 Intentionally vulnerable ASP.NET Core MVC app
  • 📚 Hands-on labs for:
  • 🐞 Cross-Site Scripting (XSS)
  • 🐞 Cross-Site Request Forgery (CSRF)
  • 🐞 SQL Injection (SQLi)
  • 🐞 XML External Entity (XXE)
  • 🐞 Local File Inclusion (LFI)
  • 🐞 Remote Code Execution (RCE)
  • 🐞 Unrestricted File Upload
  • 🐞 Information Disclosure
  • 🐞 Broken Authentication
  • 🐞 Server-Side Request Forgery (SSRF)
  • 🐞 Insecure Direct Object Reference (IDOR)
  • 🐞 Insecure Deserialization
  • 🐞 Command Injection
  • 🐞 Prototype Pollution
  • 🐞 Cache Poisoning
  • 🐞 Server Side Template Injection (SSTI)
  • 🛡️ Secure vs Insecure coding snippets
  • 🐳 Ready-to-run Docker setup
  • 🤖 AI / LLM Red-Teaming labs covering:
  • 🐞 Prompt Injection
  • 🐞 Excessive Agency
  • 🐞 Insecure Output Handling

🕹️ Demo

Demo


🪛 Installation

1. Using Docker (recommended)

Pull the image

docker pull sohamburger/aspgoat:latest

Run the container

docker run --rm -p 8000:8000 sohamburger/aspgoat:latest

Access the app

http://localhost:8000

2. Using .NET SDK

Download and install the .NET SDK 8.0 (LTS) from:
👉 .NET-Download

(The SDK includes the runtime, so this is all you need to build and run AspGoat from source.)

Clone the repository

git clone https://github.com/Soham7-dev/AspGoat.git
cd AspGoat

Restore Dependencies

dotnet restore

Run the app

dotnet run

Access the app

http://localhost:5073

👥 Contributors

Thanks goes to these wonderful people ✨

Made with contrib.rocks.


📝 NOTE

The default username for AspGoat is admin and the default password is admin123. The 🐞 Unrestricted File Upload Lab can break the application. A Hard Reset feature is currently under development which will reset the application (not yet released). As of now, if you break the application during exploitation of the Lab, your only option is cloning the Project again and restart the application. The Client Side JavaScript is obfuscated due to obvious cheating possibilities for Secure Coding challenges. However, there are several tools available for de-obfuscating the JavaScript code and retrieve the clean code again but that is not the core purpose of this Project.

Core symbols most depended-on inside this repo

_0x1977
called by 22
wwwroot/js/ssti.js
_0x4772
called by 21
wwwroot/js/cp.js
_0x2a4135
called by 19
wwwroot/js/cp.js
_0x57e4e4
called by 19
wwwroot/js/cp.js
_0x533c95
called by 16
wwwroot/js/ssti.js
_0x2f4a3b
called by 10
wwwroot/js/cp.js
_0x1348dc
called by 10
wwwroot/js/cp.js
_0x25387a
called by 10
wwwroot/js/ssti.js

Shape

Function 247
Method 33
Class 10

Languages

TypeScript85%
C#15%

Modules by API surface

wwwroot/js/ssti.js44 symbols
wwwroot/js/cp.js40 symbols
Controllers/HomeController.cs25 symbols
wwwroot/js/protopol.js10 symbols
wwwroot/js/commin.js10 symbols
wwwroot/js/bauth.js10 symbols
wwwroot/js/xxe.js9 symbols
wwwroot/js/sxss.js9 symbols
wwwroot/js/ssrf.js9 symbols
wwwroot/js/sqli.js9 symbols
wwwroot/js/rxss.js9 symbols
wwwroot/js/openre.js9 symbols

For agents

$ claude mcp add AspGoat \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact