OWASP AspGoat

AspGoatā€™s purpose is to provide an intentionally vulnerable ASP.NET Core web application that helps developers and security professionals learn, practice, and teach application security. It bridges the gap between exploitation and remediation by offering hands-on labs aligned with the OWASP Top 10 and beyond.

Road Map

  • Q1: Launch initial release with core OWASP Top 10 (and more) vulnerabilities, Docker setup, and documentation.
  • Q2: Add advanced vulnerabilities (JWT, GraphQL, SSTI, OAuth, LLM Vulnerabilities).
  • Q3: STRIDE Threat Modeling overlays for each vulnerability class to highlight architectural risks.
  • Q4: Integrate ModSecurity WAF module in order to make the challenges harder (with a switch to hard mode button).
  • Future Extension: Integrate a .NET Vulnerable API as a part of this project or by creating a separate project.

Example

1. Solve the Lab



2. Find the vulnerability in the source code



3. Replace it with the secure code

Watch Star