PWPA

Summary

Practical Web Pentest Associate was the first cert I ever did. I chose it because of my background as a web developer and my desire to understand common vulnerabilities so I could write more secure code. I never expected this cert to spark an interest in Web AppSec.

As the name suggests, PWPA is the beginner-level cert for web pentesting. It covers a lot of basic vulnerabilities and how to exploit them. More importantly, Alex doesn’t just hand you a checklist; he teaches a methodology that you can immediately put into practice with the labs. He strongly encourages keeping your notes updated. Contrary to what I thought, pentesters don’t know everything off the top of their heads. Hackers in movies type at insane speeds, bypassing the firewall and hacking into the “mainframe.” That’s not real life. Having someone explain a clear methodology lowers the bar for getting started in hacking.

Course

The Bug Bounty Hunter course is made up of different sections. They range from enumeration (a fancy word for looking for hidden stuff in a website) to exploiting your first Cross-Site Scripting vulnerability (a fancy way of saying you can make the website do something it’s not supposed to do).

If at this point you’re thinking, “What?”, don’t worry. Everything is explained step by step, and you’re not expected to understand everything right away. For example, when I started, I couldn’t script anything, yet the very first section is about scripting. By the end, you end up with a script you can use for all your engagements. You don’t need to know every detail about how it works. Honestly, I only took a Python course after passing PWPA’s follow-up cert, PWPP. So trust me when I say: you’re fine.

Exam

The goal of the course, of course, is to pass the PWPA exam. Here’s a bit about my experience.

Rules

Before starting the exam, you’re reminded that you can’t share exam details, so I’m definitely not going to spoil anything. Everything you need to know is in the Rules of Engagement (RoE) you receive when you click “Start Exam.” This document explains what you should look for, who to contact if something goes wrong, and what you’re not allowed to do. Read it. Then re-read it. It’s important.

Pentesting

After reviewing the RoE, it’s time to visit your target. From that point on, it’s just you, your tools, and the techniques you've learned. And that’s all you need. There’s no need to look for things you weren’t taught or use techniques outside the course. What matters is opening the website, getting overwhelmed for a minute or two, then opening your notes and following your methodology.

Don’t forget to set a timer: one hour hacking, five-minute break, and a longer break after three cycles.

My exam

I started my exam and couldn’t find anything for two straight hours. After a break, I slowed down, put my notes on a second screen, and began working through the methodology I had practiced so many times. I had summarized the entire course into a document I called my “sanity check,” and I strongly recommend having something like that. Once I followed it, the vulnerabilities presented themselves.

A big thing about this exam is that they don’t try to trick you. It’s just a pentest.

My approach was to screenshot everything, paste it into Notion with a short explanation, and move on.

Quick tip: having something that tracks your clipboard history is incredibly useful. I had to dig for screenshots I knew I took but forgot to paste.

After about seven hours, I had found some interesting things. Then I shut down my computer, picked up my kids from school, and had a great evening with them. After they went to bed, I watched a movie with my wife and went to sleep.

That paragraph isn’t a flex; it’s essential. If you’ve worked all day, you need rest. You’ll run out of ideas long before you run out of time. After dropping my kids off at school the next morning, I grabbed a coffee and started hacking again. Don’t think, “I have enough points; I’ll just wing it.” Take it seriously and try everything you can. Right after lunch, I found another major vulnerability, and I was genuinely excited.

Eventually, I ran out of ideas. I reviewed the vulnerabilities I found and didn’t know what else to test, so I started writing my report. I didn’t close my exam yet, because if I needed extra screenshots or wanted to try a different payload, I still had the option. Luckily, I didn’t need extra lab time, and I finished my report around the same time my lab expired.

After finishing the report, I closed my laptop again and spent time with my family. The next morning, after a good night’s sleep, I re-read the report in detail. I made a few edits, read it one last time, exported it as a PDF, and submitted it.

Then I braced myself for a long wait… but only two hours later, a notification from TCM popped up with the link to my certification.

Final verdict

It was a great and fun exam. Challenging enough to test your abilities, but not so hard that it feels impossible. If you do the lab work and avoid shortcuts, I’m sure you’ll succeed in this cert too.