probiusofficial/owasp2025-top10-ctf — explained in plain English
Analysis updated 2026-05-18
Practice exploiting real world web vulnerabilities across all 8 OWASP Top 10:2025 categories.
Run any of the 24 challenges locally in a single Docker container.
Study the included write ups to learn the technique behind each vulnerability.
Inject custom flags at startup for use on a CTF platform.
| probiusofficial/owasp2025-top10-ctf | 16nic/comfyui-agnes-ai | 6c696e68/gpt_signup_hybrid | |
|---|---|---|---|
| Stars | 19 | 19 | 19 |
| Language | Python | Python | Python |
| Setup difficulty | easy | moderate | hard |
| Complexity | 3/5 | 2/5 | 4/5 |
| Audience | developer | vibe coder | developer |
Figures from each repo's GitHub metadata at analysis time.
Each challenge runs as a single Docker container.
This is a collection of 24 web security practice challenges built around the OWASP Top 10:2025, a published list of the most critical types of security vulnerabilities found in web applications. The challenges are designed for CTF (Capture the Flag) competitions, security training, and learning about real attack techniques in a safe, intentionally vulnerable environment. The 24 challenges are organized into 8 security categories, with 3 difficulty levels in each: easy, medium, and hard. The categories cover broken access control, security misconfiguration, cryptographic failures, injection attacks, insecure design, authentication failures, data integrity failures, and exception handling. Each category contains deliberately vulnerable web applications that demonstrate specific real-world weaknesses: for example, one easy challenge lets you access other users' documents by changing a number in a URL, while a harder challenge requires exploiting a flaw in how a server encrypts cookies. Every challenge runs as a single Docker container, which means you can start any challenge on your own machine with one command and reach it at a local web address. Each challenge folder includes the full source code, a write-up file that explains the solution and the technique involved, and support for injecting a custom flag at startup through an environment variable. This makes the collection suitable for running in CTF platforms that manage flags dynamically. The README includes a table mapping each challenge to its OWASP category, vulnerability type, and key technique, so learners can find challenges that match what they are studying. The project is MIT licensed and the README is available in both English and Simplified Chinese.
A collection of 24 Dockerized web security challenges covering all categories of the OWASP Top 10:2025, for CTF practice and security training.
Mainly Python. The stack also includes Python, Docker.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.