CTFd 2.0 & Major League Cyber

CTFd 2.0 & Major League Cyber

Earlier this month, we released CTFd 2.0 with over 300 commits, 40 closed issues, and a whole slew of new built-in features including dynamic value challenges, built in Amazon S3 integration, CSV exporting, and email domain whitelisting.

For the full CHANGELOG check out the CTFd Github.Managed CTFd instances on ctfd.io have already been updated to 2.0 and instructions for open source installations are available in the CTFd CHANGELOG.

CTFd 2.0 is an almost complete reworking of the backend CTFd code. When we started development, it was decided that 2.0 would prioritize removing old unnecessary code.

For example, over the years many different endpoints were added each with a custom understanding of what data to return and how to return it. There was little to no standardization between these endpoints and all of this resulted in a complicated mass of difficult to maintain code.


With 2.0, CTFd now has a versioned, RESTful API built using Flask-RESTPlus.

Significant portions of code were taken out of the original Flask routes and moved into the simpler, easier to maintain, and more organized API routes.

All API routes should respond with data and success values

In tandem with the cleaner API routes, most of the settings and access logic into decorators helps keep the core code clean and enjoyable to work with. One notable benefit from the API is being able to replace a majority of jQuery’s AJAX functions with the more modern fetch() function.

At the moment the API is designed purely for CTFd’s own usage. However, in future releases we expect to slowly open up the API to more and more third party usage in addition to the already available plugin interface.

Real Time Notifications

Real time user notifications

CTFd now has support for realtime notifications/announcements with the help of Flask-SocketIO. With this addition, CTF organizers are able to immediately alert participants to changes from the CTFd administration interface without sending emails.

We expect this feature to eventually evolve into total bi-directional communication and messages targeted to teams and users.

This feature can be tricky to deploy properly and to deploy for scale. We provide managed CTFd deployments at ctfd.io for all kinds of needs and levels of traffic.

Teams and Users

In 2.0, CTFd is moving away from a shared team account for each team. Instead organizers can now choose whether players should play on their own (User Mode) or play together and form teams (Team Mode).

While in Team Mode, CTFd requires all users to either create or join a team. Teams are easy to create and join. The creator only needs to create a team name and team password which is then shared with their teammates.

In User Mode, CTFd operates how it has in the past and users simply create and log in to their own accounts to play in the CTF.

We believe that Team Mode is the future of how CTFs will be played as more and more CTFs are run at all different skill levels. We’ve collected feedback from CTF organizers, schools, and companies who have all expressed interest in the forming of concretely defined teams and more granular tracking of user performance.

Major League Cyber

With the introduction of Users and Teams, we are also spinning up a new project that we call Major League Cyber.

Major League Cyber (MLC) is our new CTF Event Tracker and OAuth provider. With it, organizers can register their events to allow CTF players to automatically login with their MLC accounts.

This year for the CSAW CTF 2018 Finals, we ran the very first beta for Major League Cyber and CTFd 2.0 to great success! You can already see team ratings for all CSAW CTF Finals competitors online.

By logging in from MLC, the challenges that players solve are tracked and recorded so we can generate per-user and per-team skill ratings across categories and competitions.

CTFd features built-in integration with the MLC OAuth provider. Organizers choosing to use CTFd merely need to register their event on majorleaguecyber.org and install the OAuth credentials inside their CTFd instance for users and teams to be able to login through MLC’s OAuth systems.

Major League Cyber represents the next big step in the evolution of CTFd. MLC is in its preliminary stages and we will slowly be ramping up its development alongside both open-source and managed CTFd.

Over time we hope to see many more CTF teams and competitions using MLC.

Thank You & Happy Holidays!

Thanks to the many users who have contributed code, feedback, and testing as we prepared this new release.

If you’d like to contribute to future CTFd releases take a look at the upcoming project milestones and join us on the CTFd Slack.

Special thanks to Oskar Wirga, Leon Chou, Kent Ma, Jordan Wiens, and Kai Zhong for their instrumental help in shaping both CTFd and MLC.

Show Comments