Yet another Web-only CTF

Starting at 6/11 11:00 AM PDT and last 24 hours. Join our Slack channel to get notifications and scroll down to find more details.

Join our Slack Channel!


WeCTF is a Web-only CTF with both intro-level and diabolic challenges. Our vision is to help expose some of the latest vulnerabilities in the web technologies, such as side channeling and race condition, as well as reminding people about the good old times, like SQL Injection and SSRF. That said, here are a few points we would like you to know before you start playing WeCTF:

Programming Languages: Python, Golang, PHP, C++, Javascript. All challenges are coded in these languages and source code of most challenges would be released. Although it is not required (we do write a lot of comment to our code), we recommend participants to understand some basic stuffs about these programming languages.

Services: Redis, SQLite, Flask, etc. Most of the challenges are based on these services so get familiar with them! In case you would like to know where to learn, here is a great place: youtube.com


  • Can pwners and crypto gurus participate?

    Yes, some challenges would even require you to leverage concepts from pwn. If you have no experience in Web part of CTF, then this would be a great way to start.

  • Are challenges guessy?

    No, though some challenges may require you to do a professional guess (e.g. SQL injection when you see ?id=1).

  • Would it be too easy for me?

    I dont know


  • We allow a team to have up to ∞ members

  • Sharing flags and solutions is strictly prohibited.

  • You are not allowed to DDoS, bruteforce, using scanners in any challenges (unless otherwise noted) or this website.

  • Be respectful to other teams.

  • Please do not attack beyond the challenges based on common-sense.


  • We may choose to disclose you team name & IP if you have conducted DDoSing against our infrastructure.

  • Do not use your daily password everywhere through out the CTF.

  • Follow common-sense.


Following CCC's algorithm:
-- @base + ( @top - @base ) / (1 + (max(0, solves -1)/ 11.92201) ** 1.206069)

Flag Format: we{[UUID]@[[email protected]\$%\^\(\)=]+}

Example Flag: we{[email protected]}

Flag Location: /flag.txt, SELECT flag FROM flags, COOKIE or specified in the challenge.



This can be you!

Past Sponsors:

Digital Ocean

Google Cloud


shou 🐷

author of challenges && platform

qisu 🐼

author of challenges


Version 3.1.1c