Every website has different programming languages and those programming languages have specific vulnerabilities. There are issues fundamental to the internet that can show up regardless of the chosen language or framework. These vulnerabilities often show up in CTFs as web security challenges where the user needs to exploit a bug to gain some kind of higher-level privilege.