Note: As of October 1st, 2025, the Certified Bug Bounty Hunter (CBBH) certification has been renamed to the Certified Web Exploitation Specialist (CWES). This comes with module and syllabus updates and additional training. You can read about the new update here: https://www.hackthebox.com/blog/HTB-CWES-announcement

Introduction

I went on a streak pwning web apps IRL as well as obtaining new web pentesting related certs such as the Practical Web Pentest Professional (PWPP) and wanted to keep the momentum by going for the Certified Web Exploitation Specialist (CWES) formerly the Certified Bug Bounty Hunter (CBBH). I saw a sale for the HTB Silver Annual Subscription which included an exam voucher for the CBBH/CWES and the Certified Junior Cybersecurity Associate (CJCA), which I’ll probably take at some point. So I got two exam vouchers for the half price of an annual subscription! Woohoo! 

For more information on HTB’s training and certification, go here.

If you are signing up for the first time on HTB Academy to get the training for this certification, check out my referral link below to get 20 bonus cubes to unlock their courses/modules:
https://referral.hackthebox.com/mzGxboG

CWES Course and Training

The course has no video based training. Everything is in text and images. No slides though which is good. But there is alot of reading. If you get stuck, you can get step by step solutions only IF you subscribed to the Silver Annual Subscription Plan. There are 20 modules that go over everything from information gathering, enumeration to different web based attacks that fall in line with the OWASP Top 10 web and API. 

The following modules are part of the new Web Penetration Tester Job Role Path – which doesn’t stray too far from the previous topics in the Bug Bounty Hunter Job Role Path, and are also NOW available on the HTB platform as of writing this blog.

1. Web Requests
2. Introduction to Web Applications
3. Using Web Proxies
4. Information Gathering – Web Edition
5. Web Fuzzing
6. JavaScript Deobfuscation
7. Cross-Site Scripting (XSS)
8. SQL Injection Fundamentals
9. SQLMap Essentials
10. Command Injections
11. File Upload Attacks
12. Server-side Attacks
13. Login Brute Forcing
14. Broken Authentication
15. Web Attacks
16. File Inclusion
17. API Attacks
18. Attacking GraphQL
19. Attacking Common Applications
20. Bug Bounty Hunting Process

You need to complete 100% of the course material before being allowed to take the exam. In my opinion, the new modules in the course are very relevant to current modern web app pentesting. And I am glad that HTB has gone this direction. I mentioned in my post about the Practical Web Pentest Professional PWPP course that, alot of web hacking courses didn’t integrate API testing, and I am glad that HTB is starting to catch on this trend, so kudos to them.

Going back to the value and practical use of the above modules and coursework, I can say that YES, they are 100% applicable to real life web and API hacking engagements or penetration tests. I actually started taking these courses before the CBBH/CWES certification was launched and directly applied them to work and have pwned real world applications. What’s great is that the new API and GraphQL modules are very relevant to modern web apps and IRL you will find a lot of vulns in these areas, so I am glad that HTB has finally stepped up and made their course more relevant. The name change is a welcome update as well. ALSO, they give you cheat sheets for the labs and exam!

CWES Exam Experience

FULL TRANSPARENCY: I took this exam before the October 1, 2025 exam update. So if you are reading this past that date, there is a chance the exam has already changed. If you are taking this before that date, this section will relate to you. I will reach out to HTB to see if I can retake the exam – and will update this section once I’ve completed and passed it.

There are certain aspects of the exam which I cannot disclose. I will go over what is available publicly on the HTB site and go over those. The exam duration is 7 days and you must compromise multiple web applications hosted on the HTB platform. You have the choice to use a VPN to run your own tools in your own environment, or you can use the Pwnbox VM machine that is hosted on the HTB platform. You are required to compromise the machines as well as submit a report detailing your findings in an enterprise grade report.

The exam was definitely challenging, but if you have a good web pentesting methodology, you can just go through your checklist to make sure that you cover all the different tests based on an attack vector that you find. You can read about my methodology in this post here.

Also, as described on the certification page, you will need to think outside the box and learn to chain multiple vulnerabilities to compromise a target. What I experienced in the exam was very relatable to real world engagements and I saw a few that I had seen on actual engagements. In terms of realism, I would say the exam is there, but you still need to make sure you don’t fall into rabbit holes like most CTF-like exams. What I liked about the exam is they really give you 7 days to complete the lab portion and the report which is very fair given the challenge. 

Tips to Pass

You can read about my methodology in my previous post here:
https://hiddendoorsecurity.com/2025/07/05/how-to-crush-web-app-penetration-tests/

Definitely don’t get flustered if you can’t get an attack or payload to properly execute. Make sure to take a break, look back with fresh eyes and see where things are going wrong. A lot of times I knew what vulnerability was present to compromise the app, but for some reason my payloads didn’t work. I went back in and realized there were some syntax issues (one character!). So if you are bashing your head against the wall, just take a step back, look at your notes, USE THE CHEAT SHEETS from the academy course and see how you can modify them to work properly. Looking back, I actually realized some of the attack paths were quite clear but I got lost trying to do random things instead of sticking to my methodology and also looking back at the course work. 

Conclusion

It took a long while for me to complete this course because it was mostly reading text and images. There are no video lectures, but if you slog through it, there is a lot of value. The coursework was more detailed than any other platform I have used and is packed with a lot of useful information. So be prepared to drink straight from a garden hose if you are new to web security penetration testing. I honestly recommend taking an easier course beforehand to get ahead if you are just starting because the labs and the exam can be quite challenging for a beginner with no knowledge. TCM Security has a course called Practical Web Pentest Associate (PWPA) that is a good entry point to learn web hacking and is relatively affordable. 

The exam was very realistic and I feel like the techniques you learn are directly applicable to on the job work as a web pentester. If you feel like you are ready to dive into learning how to hack web applications and APIs for work as a web app pentester or bug bounty hunter, make sure to check out the CWES from HTB here.

Good luck on your endeavors! Cheers and have fun!

– Z333RO