CWEE
Webbin it
Motivation and Background
After completing CAPE, I decided to try my hand at web exploitation. Having some experience in this category from CTFs, I wanted to broaden my skills in this area for fun and CWEE just seemed like a structured way to do so.
I was also especially drawn to the course’s white-box approach, which I found really appealing.
Course Review
The course covers both black-box and white-box approaches and any modules before the Intro to Whitebox Pentesting module is covered black-box. You can look at the course overview here.
I personally found most of the skills assessment relatively challenging with a good variety of vectors covered.
One module that stood out to me personally was Parameter Logic Bugs. I enjoyed the way the author explained the methodology and focused on the more "human" side of vulnerabilities. I honestly haven't seem many resources elsewhere that explained it this well.
Throughout the course, there is also an emphasis on patching and remediations for each vulnerability covered which was quite important for the exam.
Preparation
I managed to cover the course in 3 months (Sep - November) and took a month to work on extra challenges. I didn't want to spend extra money so I just did active web challenges on HackTheBox.
I also took time to upsolve some CTF challenges based on vulnerability classes that I felt that I wasn't familiar with. Below is a list of some CTF challenges that I personally thought were pretty interesting albeit not totally relevant to the course.
Logic Bug + Verb Tampering
Second-Order SQLi with Prototype Pollution
Logic Bug + SSRF
However, the exam only tests what is in the course, so I would say that if you are comfortable doing the skills assessment blind, you are probbaly ready for the exam.
I was aiming to finish my exam in the first half of december but I was too busy gacha-ing pokemon cards in Japan hehe.
Exam Experience
Similar to CAPE, i obtained the passing mark in about 4 days. I felt that the lab was really big in size and I didn't have any latency issues as compared to CAPE/CPTS coming from asia.
It took me another 2 days to obtain the last 10 points while doing the report but I made the mistake of referencing my CPTS/CAPE exam reports and failed the first time due to reporting.
Here are some pointers I have since the reporting format for this exam is rather unique (markdown):
For links to images, it should follow standard markdown syntax (refer to this cheatsheet)
View the consolidated report on both linux and windows and ensure that all images renders properly
Stick closely to the report format given, unlike CPTS/CAPE, this report wants the vulnerabilities to be covered as findings instead of a detailed walkthrough
I uploaded my second attempt on 3rd Jan and recieved my results on 6th which I thought was really fast so kudos to the reviewer.
Reflection and Thoughts
Having done two other HTB certifications before this, I was already used to the 10 days of exam time. I personally aimed to finish with about 3 days left so I’d have enough time to focus on the report.
The exam environment is pretty large with multiple subdomains, so I spent most of my first day just doing enumeration and figuring out which target looked the most promising before going deeper.
There are also quite a few rabbit holes (you’ll realise this pretty quickly in the exam), so having a solid methodology really matters. Since I took the exam during Christmas week, I honestly wish I had taken the report more seriously from the start instead of being in holiday-mood.
I used quite a bit of AI during the exam, mainly to help with scripting and automating parts of exploits. That said, it hallucinated fairly often and was only really useful when I already knew what the vulnerability was and just needed help executing the idea. A lot of the exam involves chaining multiple vulnerabilities together, which still requires creative thinking and can’t be "auto-solved” with AI.
Tips and Tricks
For each module, write down a repeatable checklist for how to enumerate that vulnerability class (what to look for, what to test, what it looks like if its vulnerable).
Identify which parts can be automated, and prepare a small set of reusable reference scripts that you modify quickly during the exam
Additionally if source code is provided, understanding how the issue would be fixed/mitigated is really helpful and will save you time during report-writing
When stuck, it's important to think of what stock of what you have currently and what you need to move to the next step.
Don’t overcomplicate the exploit or blindly copy whatever AI spits out, most of the time the bug is much simpler and more realistic than it looks.
For more practice or if you're just interested in web-exploitation, I recommend the following free resources
White-Box
Look up a CTF challenge for a specific topic and try to upsolve it (e.g., a Prototype Pollution challenge). A good archive of CTF challenge can be found here but you'll need to find the solution yourself.
HTB Challenges were also pretty good and the difficulty is fairly comparable to the course/exam
If you want to learn how to fix what you find, check out the Secure Coding category here albeit there seems to be only 6 challenges.
Black-Box
BurpSuite Academy is a great resource and is also free
Would I reccommend it?
Yes if you are doing anything related to web in your job/role (web dev, web security etc) or are just passionate about web-security.
FAQs
Do i have to do the CWES before embarking on CWEE
In my opinion no, I only did part of CWES path before CPTS but that was 2 years back and before it got rebranded (CBBH).
If you have some experience in web exploitation, I think its fine to start CWEE
What is the coding requirement for CWEE?
For scripting, the only language relavant is python3 specifically requests library. The course also provides code snippets for reference so its fine if you are not familiar with scripting.
Do I need to be proficent in X programming language?
Not really. The course touches a few languages (e.g. Java, Python, JavaScript), but the key is recognizing common vulnerability patterns. In most cases, the same type of issue looks very similar across languages. Even though the syntax changes, but the root cause is still the same.
Thanks for reading!
Last updated