BrokenCTF is a 24-hour jeopardy-style Capture The Flag competition hosted on a realistic e-commerce-themed platform. The site is fully interactive, designed to resemble a functioning online store, but hides a wide range of security vulnerabilities and hidden flags throughout.

Players must navigate, explore, and exploit challenges disguised as everyday features — such as fake login pages, product listings, review sections, admin panels, and embedded scripts.

Challenge Categories:

Web exploitation (SQLi, XSS, file upload bypass, IDOR, open redirect)
Authentication flaws (cookie tampering, JWT manipulation)
AI prompt injection and model reversal
Hidden flags in 404 pages, robots.txt, image metadata, JavaScript source
Honeypots and red herring traps (submitting wrong flags may deduct points)

Duration: 24 hours
Format: Jeopardy-style
Type: Online
URL: https://www.brokenctf.com
Registration: Free and open to all