whatisgithub

What is owasp2025-top10-ctf?

probiusofficial/owasp2025-top10-ctf — explained in plain English

Analysis updated 2026-05-18

19PythonAudience · developerComplexity · 3/5LicenseSetup · easy

In one sentence

A collection of 24 Dockerized web security challenges covering all categories of the OWASP Top 10:2025, for CTF practice and security training.

Mindmap

mindmap
  root((OWASP 2025 CTF))
    What it does
      24 web security challenges
      OWASP Top 10 practice
    Tech stack
      Python
      Docker
    Use cases
      CTF training
      Security learning
    Audience
      Security learners
      Developers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Practice exploiting real world web vulnerabilities across all 8 OWASP Top 10:2025 categories.

USE CASE 2

Run any of the 24 challenges locally in a single Docker container.

USE CASE 3

Study the included write ups to learn the technique behind each vulnerability.

USE CASE 4

Inject custom flags at startup for use on a CTF platform.

What is it built with?

PythonDocker

How does it compare?

probiusofficial/owasp2025-top10-ctf16nic/comfyui-agnes-ai6c696e68/gpt_signup_hybrid
Stars191919
LanguagePythonPythonPython
Setup difficultyeasymoderatehard
Complexity3/52/54/5
Audiencedevelopervibe coderdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Each challenge runs as a single Docker container.

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

So what is it?

This is a collection of 24 web security practice challenges built around the OWASP Top 10:2025, a published list of the most critical types of security vulnerabilities found in web applications. The challenges are designed for CTF (Capture the Flag) competitions, security training, and learning about real attack techniques in a safe, intentionally vulnerable environment. The 24 challenges are organized into 8 security categories, with 3 difficulty levels in each: easy, medium, and hard. The categories cover broken access control, security misconfiguration, cryptographic failures, injection attacks, insecure design, authentication failures, data integrity failures, and exception handling. Each category contains deliberately vulnerable web applications that demonstrate specific real-world weaknesses: for example, one easy challenge lets you access other users' documents by changing a number in a URL, while a harder challenge requires exploiting a flaw in how a server encrypts cookies. Every challenge runs as a single Docker container, which means you can start any challenge on your own machine with one command and reach it at a local web address. Each challenge folder includes the full source code, a write-up file that explains the solution and the technique involved, and support for injecting a custom flag at startup through an environment variable. This makes the collection suitable for running in CTF platforms that manage flags dynamically. The README includes a table mapping each challenge to its OWASP category, vulnerability type, and key technique, so learners can find challenges that match what they are studying. The project is MIT licensed and the README is available in both English and Simplified Chinese.

Copy-paste prompts

Prompt 1
Help me start the easy broken access control challenge from this OWASP Top 10:2025 CTF collection using Docker.
Prompt 2
Explain the technique behind the cookie encryption challenge in this repository's write up.
Prompt 3
Show me how to inject a custom flag into one of these challenge containers at startup.
Prompt 4
Walk me through using this collection's OWASP category table to pick challenges for injection attacks.

Frequently asked questions

What is owasp2025-top10-ctf?

A collection of 24 Dockerized web security challenges covering all categories of the OWASP Top 10:2025, for CTF practice and security training.

What language is owasp2025-top10-ctf written in?

Mainly Python. The stack also includes Python, Docker.

What license does owasp2025-top10-ctf use?

Use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is owasp2025-top10-ctf to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is owasp2025-top10-ctf for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.