My Review on HackTheBox Certified Web Exploitation Expert (CWEE)
I recently passed the Certified Web Exploitation Expert (CWEE) certification from HackTheBox.
In this blog post, I will be sharing more details about the CWEE certification, my learning journey, and a few tips for anyone preparing to take it.
What is CWEE ?
Certified Web Exploitation Expert (CWEE) is HackTheBox’s most advanced certification focused on web hacking and exploitation.
The purpose of this certification is to equip you with the skills needed to detect hard-to-find vulnerabilities that are often missed by automated scanners.
It provides knowledge on black-box attacks and, more importantly, teaches you how to identify weaknesses in applications through source code review. This white-box approach is essential when dealing with critical systems such as those in banking, healthcare, and other sensitive sectors.
To be eligible for the exam, you must complete the Senior Web Penetration Tester Path on HackTheBox Academy.
As the name suggests, CWEE is not an entry-level certification. By the time I applied, I had already completed all PortSwigger Academy labs and had two years of experience in the offensive security industry.
You can find the official presentation of the course here: https://academy.hackthebox.com/preview/certifications/htb-certified-web-exploitation-expert
Course Content
The content covered by the course is very extensive.
You can find the full list by checking the Senior Web Penetration Tester path on HackTheBox Academy and expanding the “15 Modules included” section.
I really enjoyed the last chapter about Parameter Logic Bugs. This field is not very well documented in the industry, yet HackTheBox covers it very well. Parameter Logic Bugs are particularly interesting because they exploit how an application processes user input and interactions under normal circumstances. As such, regular source-code scanners are not able to detect them. Deploying a WAF won’t help either, since no malicious payload is actually being sent.
Another concept I liked is Timing Attacks, where an attacker can infer information about an application’s content or behavior by analyzing response times to different (normal) inputs. Again, scanners and WAFs cannot reliably mitigate this type of attack today.
An honorable mention goes to the Advanced Deserialization Attacks module, where I deep-dived into .NET deserialization. Successfully exploiting this can allow an attacker to gain a foothold on an enterprise Windows machine, potentially enabling lateral movement into Active Directory environments.
Languages covered in CWEE include:
- JavaScript (Node.js + frontend)
- Python (backends + exploit development)
- Java
- PHP
- C#
Knowledge of these languages is important to get the most out of the course.
The Exam
The exam was very hard but enjoyable. It simulates a real pentest engagement over the course of 10 days.
To pass you need to:
- Capture 5 flags out of 6 (90/100 score)
- Submit an industry-quality report
In the report the standards are high. You must pinpoint the vulnerable part of the code and explain why it is vulnerable. You are also expected to propose a patch for the vulnerability and, if needed, provide an exploit script. I advise using Sysreptor to create the report — they have templates for HTB exams ready to use.
While preparing for CWEE, I had a VIP+ subscription with HTB. After finishing the Senior Pentester Path, I completed the following boxes/challenges to prepare for the exam.
Preparation — boxes & challenges I completed
| Chapter | Box | Challenges |
|---|---|---|
| Injection Attacks | Analysis, Book | Dark Runes, E.Tree |
| Introduction to NoSQL Injection | Shoppy | Lazy Ballot, Wild Goose Hunt |
| Attacking Authentication Mechanisms | Noter | - |
| Advanced XSS and CSRF Exploitation | Secnotes | PumpkinSpice, Felonious Forums, The Galactic Times |
| HTTPs/TLS Attacks | Lazy | - |
| Intro to Whitebox Pentesting | — | - |
| Advanced Deserialization Attacks | Pov | NexusVoid |
| Abusing HTTP Misconfigurations | — | CDNio, Dark Alleys, Felonious Forums |
| Blind SQL Injection | Falafel | WafWaf |
| Advanced SQL Injections | — | Pentest Notes |
| HTTP Attacks | — | NextPath |
| Introduction to Deserialization Attacks | Tenet, HackNet | Pop Restaurant |
| Modern Web Exploitation Techniques | — | Interstellar |
| Whitebox Attacks | Falafel | - |
| Parameter Logic Bugs | — | - |
While the exam is indeed hard and requires creative thinking, the course materials are sufficient to pass. The challenges I listed above were chosen to boost my confidence and avoid surprises during my first attempt.
Also note that even during the exam you will learn new things — it’s satisfying to apply new concepts and see how much you’ve improved.
Conclusion
I highly recommend CWEE to anyone who wants to level up their skills in white-box attacks and source code review.
It’s a challenging yet rewarding certification that pushes you to think like a true web exploitation expert.
I hope this post gave you a clearer view of what CWEE offers and what to expect from the journey.