I started the HTB CWEE(Certified Web Exploitation Expert) exam on March 1, 2024, and received my passing notification on March 23. I am proud to have earned the “First Blood” by being the first person to pass the CWEE.
I have written about my experience with HTB CWEE. Since I cannot provide detailed information, there may be some ambiguous parts due to the nature of the exam, so please understand.
About Me
- I have no experience as a web developer.
- I am not a pentester.
- I enjoy using the HTB main platform occasionally.(https://app.hackthebox.com/profile/681671)
- Before passing CWEE, I obtained qualifications related to hacking such as OSCP, OSWE, CBBH, and BSCP.
Preparation
Duration
- I started the CWEE path on December 18th and completed it on February 1st.
- I studied for about 2 to 5 hours on weekdays and up to 10 hours on weekends.
What I prepared
- I have compiled almost all commands and important results conducted on the "Senior Web Penetration Tester" path in Obsidian for easy searching.
- Since there was about a month between finishing the "Senior Web Penetration Tester" Path and taking the exam, I lightly reviewed the entire module just before the exam.
- I did not use any materials other than HTB Academy for studying CWEE. However, I believe what I learned to obtain the BSCP in the past was helpful. (The web technologies covered in CWEE and BSCP are very similar.)
Cost
- The total cost was $945 for the Gold Annual during the sale.
About the exam
Schedule
- It was scheduled for 10 days from March 1st, including two weekends.
- I took the exam while working full-time.
- I spent about 5 hours on weekdays and 10 hours on weekends on the exam.
Exam tasks
- To pass the exam, a score of 90 out of 100 is required.
- The scoring varies for each question.
- Several domains are covered.
- Web apps are divided by subdomains, and multiple languages were used. However, languages not covered in the "Senior Web Penetration Tester" Path were not used.
- The exam format includes white-box and black-box, but there seems to be no complete black-box test. (Starting from a black-box test and finding vulnerabilities to examine source code, etc.)
- Multiple vulnerabilities need to be chained to obtain one flag.
Report
- Writing the report is probably the most crucial part of passing.
- Like other certifications, it needs to be detailed.
- In CWEE, you must include patches for identified vulnerabilities in the report (the most challenging part for me!).
- Since it is likely that deficiencies in the report will result in failure, I recommend allocating a lot of time to the report.
- I spent about 20 hours writing a report of around 100 pages (most of which are screenshots).
Differences and Comparison between HTB CWEE and OSWE
- OSWE (OffSec Web Expert) is a certification for white-box web application penetration testing provided by Offsec. I obtained this certification in June 2023.
- Below are the differences between each exam and my personal comparison.
Differences in Exam Content
OSWE
- Pure white-box testing.
- Separate production and debug machines are provided for each web application.
- Candidates build exploits on the debug server and retrieve flags from the production machine.
- The debug machine is a complete copy of the production machine (excluding flags), allowing direct access not only to the web application but also to the database.
- Source code is obtained from the debug machine, requiring skills in decompiling and extracting source code, as well as remote debugging skills.
CWEE
- Both white-box and black-box testing.
- Source code is obtained via Git. Other means of obtaining source code may be required.
- Debug machines like those in OSWE are not provided.
Differences in Attack Techniques
OSWE
- Focuses on major web attacks such as XSS, CSRF, SQLi, XXE, SSTI, etc. (refer to the WEB-300 syllabus: [https://www.offsec.com/courses/web-300/download/syllabus]).
- Exploits vulnerabilities within the scope of web applications.
CWEE
- In addition to attacks covered in OSWE, also covers attacks like LDAP injection, web cache poisoning, and smuggling attacks (the entire CWEE path should be covered).
- Includes attacks exploiting DNS and SMTP, not limited to web application attacks.
Differences in Duration
OSWE
- 48 hours for the exam, 24 hours for report writing.
CWEE
- Exam and report writing are conducted within 10 days.
Differences in Exam Task Volume
OSWE
- 2 web applications.
- 4 flags (For each web application, flags for administrative access and flags within local files. This applies to 2 web applications.).
CWEE
- Multiple web applications (3 or more) derived from subdomains of 3 domains.
- 6 flags (For each web application, flags for administrative access and flags within local files. This applies to 3 web applications).
Differences in Report Requirements
OSWE
- Detailed explanation of exploitation process required.
- Custom exploit script consolidating flag retrieval scripts into one must be created and included in the report.
CWEE
- Detailed explanation of exploitation process required.
- Linkage with CWE, evaluation with CVSS v4.0, and if necessary, attaching created scripts to the report.
- Detailed explanation of proposed fixes with code required.
Personal Comparison
Similar Skill Levels Required for Vulnerability Detection
- Found both CWEE and OSWE equally challenging as both require understanding source code to exploit vulnerabilities.
Higher Exploitation Skill Requirement for CWEE
- CWEE encompasses systems combining not only web applications but also DNS, email, etc., making exploitation of discovered vulnerabilities more challenging.
Higher Reporting Skill Requirement for CWEE
- CWEE requires evaluating each vulnerability and providing detailed fix explanations with code, which likely involves actual code writing for validation.
Higher Programming Skill Requirement for OSWE
- OSWE mandates creating custom exploits, including handling reverse shells within scripts, which adds to the complexity. While CWEE doesn’t explicitly require script creation, developing time-consuming data extraction exploits inevitably involves coding. Additionally, creating fix codes necessitates coding. Overall, OSWE demands slightly higher programming skills.
Higher Speed in Vulnerability Discovery Skill Requirement for OSWE
- OSWE requires discovering and exploiting 4 flags within 48 hours, necessitating quick task completion due to time constraints.
Thoughts and Advice
- The difficulty of the exam may vary depending on your skill in identifying vulnerabilities. People who regularly do tasks like source code review may easily identify vulnerabilities. However, since several modules teach how to identify vulnerabilities from source code, it seems fine to approach the exam with a full understanding.
- Exploiting vulnerabilities is not too difficult as the "Senior Web Penetration Tester" Path teaches it, but it’s recommended to script what you can in advance.
- Logical thinking is necessary for how to exploit discovered vulnerabilities and proceed.
- Do not skimp on creating the report. As mentioned in many places, a professional report is required, and it seems to directly affect pass or fail.
