So Hack The Box Made a Web Cert?

the hack the Box certified web exploitation expert is what they call their first Advanced hack the Box certification it's all about web application security and it goes really deep on the subject material like take a look at this related job roll path which you practically can think of as like the course to prep for the exam this is the senior web penetration tester job roll path on hack the Box Academy and look at all this stuff injection attacks no SQL injection off by passes cross- sight scripting and cross- site request forgery blind sequel injection distalization

attacks logic bugs and a ton more these dig into both white box and blackbox web app pen testing both the job roll path and the certification cover the perspective of when you have the application source code and when you don't and a majority of these are all tagged with the hard difficulty and that's why they say this one is Advanced it is for the senior penetration tester now again I'm not a penetration tester I'll say that upfront I don't do that for my full-time job I like to explore different vulnerabilities and Capture the Flag competitions

or different cves in the real world but web app pen testing is not my occupation with that said I do love the learning and the Hands-On approach to All Things cyber security even like as a blue teamer or Defender or a purple teaming mindset if you like that vernacular it's all about upskilling in cyber security in a practical in real world environment and hack the Box makes everything Hands-On and practical the cwe or the certified web exploitation expert here builds off some of the other core knowledge from the hack the Box cbbh the certified bug

Bounty Hunter and hack the Box cpts the certified penetration testing specialist but cwe is stand alone you don't need any of the hack the Box certifications to access and attempt this one anyway if we look at the modules for the senior web app pentester job roll path they do Shine the spotlight on some topics that I think are often overlooked I don't know about you but I don't usually see X paath injection being one that's talked about even just as an example of course they have a handful of Json web token material even some ooth

and saml which is certainly a bit more advanced than you usually see for web app security training for cross- site scripting it's not just the basic cookie cutter syntax but they're going up against the same origin policy cores misconfigurations bypasses to dig into internal apis content security policy and more something I think you practically never see is the HTTP and TLS attacks like they're showcasing padding Oracle attacks and some more obscure tricks against the protocols themselves I've never even heard of poodle and Beast let alone crime and breach there is web cash poisoning there is

session ID exploitation log injection dns-based data exfiltration websocket abuse ssrf D sterilization gadgets race conditions even There is seriously just so much stuff and B5 null really said it best these give a god base on how flaws and codes can lead to exploits thanks to P5 n obviously all of their training material comes with Hands-On lab environments an activity and an exercise including a virtual machine like in line with the content so you can test your knowledge right away this by the way is something that I seriously recommend you take notes on the hack the

Box Academy does have a fantastic Global search feature that you can literally just search for anything and it finds it across every single module everywhere but I got to say it is a lot of text on hack the Box Academy you got to do a lot of reading and that may not be for everyone maybe that's not your style of learning but even using it as a reference you can but it's best to build out your own reference I'm a huge fan of using obsidian trying to copy down each and every single payload that I've

used in practice so that when it comes time to using it for real either in the exam or real work I've already got a snippet that I can just tweak and tune to the environment basically have stuff ready for you to just copy and paste and then you know that it works on your virtual machine with your installed tooling because you've tested it beforehand that saves seriously so much time anyway these modules for cwe include some really legit stuff and I know it's easy to think well hey it's just a collection of vulnerabilities all the

usual stuff you see in web security but it's not just that these lessons give you such a baseline of web security assessment skills like a grown into of what to do in which situation all alongside the techniques and tradecraft to really do those attacks like Implement those exploits alongside you learning from all of the demos and exercises I got to admit I think teaching that intuition is really hard to do so hats off and Kudos hack the box for that I will say though that this does take some extra leg work from you like I

mentioned building out your own reference do that and then build out your own sort of Playbook like whenever you find yourself in whatever scenario like you're up against some text box just a regular input box and you have no other clue or indication as to what to do or what to try well if you have a checklist prepared like hey have I looked for command injection have I looked for SQL injection what about X paath is there cross-site scripting here in the application is that an option where does the data go in this port por

of the application where is it used to reference later if at all combining all of that with your own catalog of payloads to try keeps you moving so you don't hit a wall cuz that is the worst thing in an exam or in real work anyway those are just some tips and tricks for you if that's helpful I hope back to the material though it is literally 15 modules in the senior web app pentester job roll path that's over like 240 sections in 11 different knowledge domains that's wild and remember I really want to stress

this point it showcases both the black box and white box perspective the whole second half of the job roll path covers that white box pen testing approach where you have access to the source code of the application you get to focus on source code review debugging and of course custom exploit development but even patching each individual vulnerability you do need to 100% complete the entire senior web penetration testing job roll path to be able to take the exam I've been working through the modules but here's the thing I have not yet taken the exam I'm

sorry I really really wish that I could sprinkle in some teasers I know that I can't really talk about it anyway but I haven't gotten it started yet between the ncon capture the flag competition and travel and work I I could throw whatever excuses in the book but I just haven't made time for it it is a big time invest mment right you have 10 days to take the exam in a dedicated environment and in those same 10 days you have to write and upload a full professional report where you document all the vulnerabilities you

found exploits you used or wrote and even patching and Remediation recommendations I got to admit I haven't done it yet I do desperately want to though and that goes for any senior pentester web app pentester web developer even security engineer or code auditor or bug Bounty Hunter I think you should try it out don't let the hard tags or the advanced tagline scare you away it's ultimately all about learning and sharpening your skills and I'll let you in on a little secret you don't have to have passed an exam to have learned something with all

that said if you are interested in the certified web exploitation expert in the senior web app pentester job roll path from hack the box and hack the Box Academy then give it a go kick the tires explore see what is out there see what's new for you and level up your skills there's a link in the video description for you to get started and thank you so much for watching this video please do all those YouTube algorithm things like comment subscribe and with that I'll see you in the next video