Introduction

I wanted to improve my web application penetration testing skills at work and also my bug bounty hunting methodology. TCM had their summer sale and this training and exam bundle was $100 off, so I decided to buy the Practical Web Pentest Professional (PWPP) course and get another hacking cert. I’ve taken other TCM training courses and certifications, and know that their content and expertise are highly valuable and practical in real world engagements.

For more information you can visit the training and certification page here.

DISCLAIMER: You can’t buy this training and exam separately. They are already included together in the bundle. You also get 1 free retake if you fail the exam for the first time.

PWPP Course and Training

The course and training is taught by instructor Alex Olsen at TCM Security.

You get two courses when you buy the PWPP bundle which are:

1. Practical Web Hacking – 10 hour course on web hacking techniques with tools like Burp Suite
2. Practical API Hacking – 6 hour course on API hacking techniques with tools like Burp Suite and Postman

Practical Web Hacking

The course covers a wide range of common web attacks such as SQL Injection, Cross Site Scripting(XSS) and Broken Business Logic. There were other vulnerability and attack types that I thought were very practical and useful in modern web applications such as NoSQL and Race Conditions. I also liked the section on attacking JWT tokens as these are very prevalent in many production ready web applications

Practical API Hacking

I had actually taken this course a year before the PWPP was launched, and was already familiar with alot of the API hacking techniques. In fact, this was one of the most practical and useful courses that I was able to apply immediately to my work and has actually helped me pwn many real world applications as well as identify critical and high bugs in production environments. In my opinion, the API hacking course is what sets this training and certification apart from other offerings. When you pentest real-world applications, you have to deal with APIs A LOT and I have seen a pattern of developers IRL overlooking API security.

PWPP Exam Experience

There are 2 phases to the exam. 3 days to perform a hands-on lab testing and hacking on a web application. And 2 days to write a penetration testing report based on your notes and documentation of the hands-on testing lab portion. It took me 3 days to complete the exam. By  day 3, I spent around 5 hours writing the report and making sure I got all the screenshots I needed before I ended the lab portion. 

The exam was actually NOT EASY and was challenging in the first 2 days. Don’t expect this to be an app that you can easily hack OSCP style and get shell from a publicly available exploit script. A lot of what I identified, to my surprise, were vulns that I’d actually found in actual engagements I’ve been on. Don’t expect this to be like a CTF that leaves bread crumbs or obvious hints. The application was built to mimic a real world production environment and requires a lot of critical thinking. However, I will say that taking the two courses is enough for you to pass – so if you take good notes, you’ll have a very high chance of passing. 

Due to the nature of this exam, I can’t disclose their scoring criteria. All I can say is that THIS IS NOT A CTF, and must be treated like a real-world penetration test. 

Realism and Practical Application to Real World Engagements

The fact that there is an API portion added to the realism of this exam and training. In a lot of web applications, you will 90% of the time encounter custom APIs built into the application or the use of third party APIs to other service providers. A lot of web penetration testing exams and courses don’t seem to include this which I find bizarre now looking back since they are very intertwined. The web based vulnerabilities that I found were not very obvious and some I might have just lucked out coz’ I TRIED EVERYTHING. I’ll get to my methodology in the next section, but as I said earlier, do not treat this like a CTF.

Tips to Pass

You can read about my methodology in my previous post here:
https://hiddendoorsecurity.com/2025/07/05/how-to-crush-web-app-penetration-tests/

The way to approach this app is to think of it like an actual web and API penetration test. When you do an actual engagement, you first do a walkthrough of the application to check its basic functionalities and note all the injection points and other points of interest without attempting any attacks. Next, based on the information that you gathered from the application walk, you run active enumeration of directories, potential hidden directories and files, assess the tech stack being used and also the APIs that the app is using. 

After you do the initial information gathering, you can now make an assessment on where to drop payloads on the app, test for broken business logic, and abuse functionality that is not obviously present in the application. Basically, you want to INVERT how the app functions to break it, and only then can you find the vulns. 

In a real life penetration test, you also need to log ALL vulnerabilities that you find.

You have only 3 days to complete the lab portion, so think of how fast you can go through a checklist of actions for each vulnerability category so that no stone is left unturned. I recommend checking out the latest OWASP WSTG checklist for this, to make sure you don’t miss any checks. And then, see how you can chain all these vulnerabilities together to escalate your attacks.

Conclusion 

I really enjoyed taking this course and feel like I’ve leveled up on various attack methods against web applications and APIs. All the training and lab scenarios were realistic and practical in real-life engagements. The exam was also well designed and made to mimic a modern production level web application. What I liked most was that the instructor Alex explained all the theories and methods in a very easy to understand manner and I never felt like I got bored or lost in any of his explanations. I would say it is very worth it if you are someone who is a visual learner but HATES powerpoint slides and reading OMG. Some old school trainings I’ve done were essentially “death by powerpoint” which is absolutely NOT this training. They also have a Discord server you can join to communicate with other students – so that is a plus. 

But overall, I would highly recommend their training especially if you want to get hands-on practical skills that you can easily apply to real world engagements. As far as the level you need to begin the training, I’d recommend having an associate or junior level skillset prior to attempting this course and exam. TCM Security offers another course and certification called the Practical Web Pentest Associate(PWPA) that you can take before the PWPP. If you already have the Practical Network Penetration Tester(PNPT) cert, you can also take this course IMO.

Anyways, if you found this helpful and decide to take this training, you can check it out here. If you are planning to take the exam, put on a cool hacker playlist and don’t forget to take regular breaks! Cheers and have fun!

– Z333RO