HTB Certified Web Exploitation Expert

Expert Practical exam Pass: Passing report $210

Advanced web exploitation — deserialization, race conditions, prototype pollution, OAuth.

Official Page

IssuerHackTheBox

FormatPractical exam

Duration10 days

Pass ScorePassing report

Overview Syllabus (6) Tools (7) Cheat Sheets (1) Labs (1)

Recommended Tools

Param Miner Essential

Cache

Cache key/unkeyed param discovery (Burp ext)

installBApp Store in Burp

usageRight-click > Guess params > Guess everything

phpggc Essential

Deserialization

PHP deserialization gadget chains

installgit clone https://github.com/ambionics/phpggc

usage./phpggc -l; ./phpggc Laravel/RCE1 system id

ysoserial Essential

Deserialization

Java deserialization gadget generator

installDownload jar

usagejava -jar ysoserial.jar CommonsCollections4 "id"

tplmap Essential

Injection

SSTI detection and exploitation

installgit clone https://github.com/epinna/tplmap

usagepython3 tplmap.py -u "http://target/?name=*"

JWT Editor Essential

JWT

JWT manipulation Burp extension

installBApp Store

usageModify/resign JWTs directly in Repeater

interactsh Essential

OOB

OOB interaction server (like Collaborator)

installgo install github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest

usageinteractsh-client

smuggler.py Essential

Smuggling

HTTP request smuggling detector

installgit clone https://github.com/defparam/smuggler

usagepython3 smuggler.py -u https://target.com

Burp Suite Pro Essential

Web Proxy

Advanced web testing proxy

installDownload portswigger.net

usageHTTP Smuggler extension, Turbo Intruder, JWT Editor