⚠️ INTENTIONALLY VULNERABLE — a security CTF playground.
Every flaw is deliberate and safe-by-construction: no real data, no real auth,
and the dangerous server-side bits are simulated.
// web exploitation · capture the flag
Break the web. Capture the flags.
A range of real, deliberately-planted web vulnerabilities — from warm-up scanner bait to a hard tier that only falls to a genuine exploit chain. Bring your favourite LLM and see how far it gets.
Multi-step chains, blind/OOB, filter bypass, auth confusion — each gated by a real FLAG{…} you only earn by fully exploiting it. Built to resist one-shot scanners.
Warm-up tier below · real genuine (client-side / mock-data) · sim simulated (telltale response, no real shell/fs/db/internal-net).