PWPE

Summary

This certification is the follow up of the PWPP. It's an expert level exam that will take you to explore your ability to look further and deeper than you ever did with the PWPA or PWPP. To pass this exam, you're gonna need to use all the tricks in your book. So make sure your notes are up to date!

Course

The course is of the same quality as you're used to if you know Alex's courses. The topics go over

• Prototype pollution

• Graphql

• Code review

• Code (de)obfuscation

• OAuth

• Cache poisoning

Each topic starts with a theoretical explanation and as always Alex walks you trough some examples. Then you have a shot at doing some capstones on your own at the end of each module.

Exam

RoE

Like always you get your RoE at the start of the exam. This document is important to understand the scope of the exam. Read this with even more care than you did for any other TCM certs! Once you read it, just read it again, just to make sure you saw it all.

My Exam

After you read and reread the RoE, it's time to navigate to the start URL. Personally, I found that this exam was a bit less overwhelming than PWPP. Still a lot of functionality to go through, but it felt calmer.

Once the exam started, I did what I always do, go through the app and clicked everything I saw. Then it was time to open up my proxy and inspect the traffic. Like Alex said in one of his reviews, your task is to identify small vulnerabilities and chain them together. So don't expect to find an obvious XSS.

After I went trough the traffic, I decided that a particular functionality would be my first thing to start testing on. I had to peel the onion layer by layer and I kept track of everything I saw that could possibly be of use later on. And sure enough, after only a few hours I chained some low level things together and I was able to drop a payload that could be considered a high risk.

On that high, I continued my testing, and I found some small issues, but I could not for the life of me chain something together something that could even be considered something worth noting down. So that's when the panic started to settle in. I decided to leave it like that, and went to bed for some shuteye.

When I opened up the app the next day, I had enough time to reflect on what I found, so I started to really hit those endpoints with everything that I had, but nothing, and I mean absolutely nothing worked. I remembered the valuable lesson I had from my PWPP about rabbit holes, and I moved away from the endpoint that I was so sure it was the entry point for a critical vulnerability.

That's when the expert level exam became the expert level exam for me. I had the low hanging fruit, but that was not enough to pass. I needed something critical. And it is at that point that the exam tests you if you have the endurance and insight to go look for the right things. It took a loooooooooong time, and multiple "It's not gonna be in here, right?!" when my eye caught something small, yet so obvious that I needed to test it. My first test on that particular piece returned absolutely nothing, another dead end? Or maybe not, let's try this... And that got me somewhere. And that result lead me to use Google and look something up. It was strange, I never saw it, but every part of my body was screaming that I was getting somewhere if I just could crack this little thing. And yeah, that was the critical thing I was looking for! Good old Google to the rescue!

So with a day of testing to spare, I could start writing my report. I managed to have 2 high valuable vulnerabilities and some minor issues. I had my template ready to go, but because this exam is all about chaining I needed to adjust the template. I submitted my report at the end of that day after reading it a dozen times.

Then, totally unexpected, another hard part came. My PWPA and PWPP came back in less than a day, but I had to wait a week for the results came back on my PWPE. But when they came back, I was glad I was able to knock this one out of the park on my first try too!

Remark

A very big difference between PWPE and PWPA/PWPP is the fact that now, you don't really know what you are looking for. Obviously you look at the things you learned during the course, but unlike PWPA/PWPP you will not pass with only the things you learned in the Advanced Web Hacking course. You'll need to have a profound knowledge of the basic stuff. On top of that you'll need to develop a spidey sense for things that are a bit weird and be able to look those things up. The exam is not designed to trick you, bit it is designed to be a expert level exam.

Final verdict

This was a fun exam. It was hard, and maybe you'll need a bit of luck, but the answer isn't some niche and weird "Gotcha !" CTF-moment, it will be right there for you. My advice is simply to show that you have perseverance to do what needs to be done. Expert-level doesn’t mean flashy. It means you don’t quit when things get quiet.