Exam Prep - PWPA (Practical Web Pentest Associate)

Note: The certification was originally called “PJWT” (Practical Junior Web Tester) and was renamed to “PWPA” (Practical Web Pentest Associate) in November 2024. The exam itself has not changed - only the name. This is the entry-level web application pentesting certification from TCM Security.


1. Exam Format

DetailInfo
Duration48 hours to test + 48 hours to write the report (4 days total)
Format100% practical - you pentest a live web application
EnvironmentCloud-hosted web app accessible via VPN
ProctoringNon-proctored (no intrusive monitoring software)
MonitoringNetwork traffic is monitored for cheating detection
FlagsZERO flags to capture - this is not a CTF
Multiple choiceZERO multiple choice questions
ToolsAny tools permitted, as long as you disclose them in the report
RetakesOne free retake included with every voucher
Voucher validity12 months from purchase
Price~$199 (discounts for military/veterans/students - 20% off)
Prerequisite coursePractical Bug Bounty / Practical Web Application Penetration Testing

Passing Criteria

  • Successfully exploit vulnerabilities in the target web application
  • Deliver a detailed, professionally written penetration testing report
  • Stay within scope and follow the Rules of Engagement (violating these = disqualification)
  • The report is weighted heavily - finding vulns is only half the battle

What You Get

  • 9+ hours on-demand training (12-month access)
  • Hands-on local labs
  • 1 exam attempt + 1 free retake
  • 24/7/365 course support
  • Digital certification (printable)

2. What to Expect

Vulnerability Categories Most Likely to Appear

Based on the course content and community reviews, expect a mix of these vulnerability types. The exam tests OWASP Top 10 fundamentals.

High probability (core course topics):

  • SQL Injection (union-based, blind boolean, blind time-based, second-order)
  • Cross-Site Scripting (reflected, stored, DOM-based)
  • Local/Remote File Inclusion (LFI/RFI with filter bypasses)
  • Authentication flaws (brute-force, MFA bypass, logic issues)
  • Broken Access Control / IDOR (horizontal and vertical privilege escalation)
  • Command Injection
  • Insecure File Upload
  • Server-Side Template Injection (SSTI)

Medium probability:

  • Cross-Site Request Forgery (CSRF) with token bypass
  • Server-Side Request Forgery (SSRF) and Blind SSRF
  • XML External Entity (XXE) Injection
  • Open Redirects
  • Insecure session management

Lower probability but worth knowing:

  • Subdomain takeover (conceptual - hard to test in a lab)
  • Vulnerable/outdated components
  • Information disclosure (security headers, server banners)

Key Exam Characteristics

  • This is a single web application, not a network
  • Treat it like a real-world pentest engagement, not a CTF
  • You will likely find multiple vulnerabilities of varying severity
  • Report low, medium, AND high findings - do not skip low-severity issues
  • Enumeration reveals 80% of the attack surface - do not skip it
  • The passing criteria are only revealed in the Rules of Engagement when you start the exam
  • READ THE RULES OF ENGAGEMENT CAREFULLY before you begin testing

3. Study Strategy

Where You Are

You have watched the course twice - once passively and once actively with notes. That puts you ahead of most candidates. Here is what to do next:

Step 1: Redo Every Course Lab From Scratch (1-2 weeks)

  • Reset all labs and solve them without looking at the walkthrough
  • If you get stuck for more than 30 minutes, check hints (not the full solution)
  • For each lab, write down: the vulnerability type, how you found it, the payload, and remediation
  • Build muscle memory with Burp Suite - you should be fast with Repeater, Intruder, and the Proxy

Step 2: Build Your Checklists (2-3 days)

Create a checklist for each vulnerability type you can reference during the exam:

  • Authentication testing checklist
  • SQL injection testing checklist (with payloads for MySQL, PostgreSQL, etc.)
  • XSS testing checklist (with filter bypass payloads)
  • LFI/RFI testing checklist (with PHP wrappers and filter bypass)
  • File upload testing checklist (extension bypasses, magic bytes, etc.)
  • SSTI testing checklist (with detection payloads per engine)
  • SSRF testing checklist
  • CSRF testing checklist
  • Command injection testing checklist

Resource: The course references https://appsecexplained.gitbook.io which has checklists per vulnerability type.

Step 3: Practice on External Labs (1-2 weeks)

See Section 4 below for specific labs.

Step 4: Do a Timed Mock Exam (1 weekend)

  • Pick a vulnerable web app (like OWASP Juice Shop or a TryHackMe room)
  • Give yourself 8 hours to find as many vulns as possible
  • Spend 4 hours writing a full pentest report
  • This builds time management and report writing skills simultaneously

Step 5: Prepare Your Report Template (1 day)

  • Build your template BEFORE exam day (see Section 6)
  • Have sections pre-filled with boilerplate text
  • Include placeholders for screenshots, CVSS scores, and remediation

4. Practice Resources

PortSwigger Web Security Academy (FREE - highest priority)

URL: https://portswigger.net/web-security

Work through these labs in order of exam relevance:

TopicLabs to Complete
SQL InjectionAll “Apprentice” and “Practitioner” labs
Cross-Site ScriptingAll “Apprentice” labs + reflected/stored “Practitioner” labs
AuthenticationAll labs (brute force, MFA bypass, logic flaws)
Access ControlAll “Apprentice” and “Practitioner” IDOR labs
File UploadAll labs
SSRFAll “Apprentice” labs
XXEAll “Apprentice” labs
CSRFAll “Apprentice” labs
OS Command InjectionAll labs
Directory Traversal/LFIAll labs
SSTIAll “Apprentice” labs

TryHackMe (some free, some require subscription)

URL: https://tryhackme.com

Relevant rooms:

  • OWASP Top 10 (free)
  • OWASP Juice Shop
  • SQL Injection
  • Cross-Site Scripting
  • Web Fundamentals
  • Burp Suite: The Basics / Repeater / Intruder
  • Upload Vulnerabilities
  • SSRF
  • Authentication Bypass
  • IDOR
  • Command Injection

URL: https://app.hackthebox.com

Relevant challenges and machines:

  • HTB Academy: Web Requests, Introduction to Web Applications, SQL Injection Fundamentals
  • Starting Point machines with web components

PentesterLab (subscription)

URL: https://pentesterlab.com

  • “Web for Pentester” exercises (free)
  • “Essential” badge exercises cover SQLi, XSS, File Inclusion, Code Injection, Command Injection, LDAP Injection, File Upload, XML attacks

OWASP Juice Shop (FREE)

URL: https://owasp.org/www-project-juice-shop/

  • Install locally: docker run -p 3000:3000 bkimminich/juice-shop
  • Great for practicing SQLi, XSS, broken auth, broken access control, and more
  • Has a built-in scoreboard to track progress

Other Resources


5. Exam Day Checklist

Before You Start

  • Burp Suite configured and working (Community or Pro)
  • Browser proxied through Burp Suite with certificate installed
  • VPN client installed and tested
  • Report template ready (see Section 6)
  • Note-taking tool open (Obsidian, CherryTree, or OneNote)
  • Screenshot tool ready (Flameshot on Linux: sudo apt install flameshot)
  • Terminal multiplexer set up (tmux) for running multiple tools
  • SecLists installed (sudo apt install seclists)
  • ffuf installed and working
  • SQLMap installed and working
  • Your vulnerability checklists printed or open in a separate window
  • PayloadsAllTheThings bookmarked or cloned locally
  • Plenty of water and snacks available
  • Phone on silent / distractions eliminated

Tools to Have Ready

ToolPurpose
Burp SuiteProxy, Repeater, Intruder, Decoder
ffufDirectory/file fuzzing, parameter fuzzing, brute forcing
SQLMapSQL injection detection and exploitation
curlQuick HTTP requests from the terminal
Flameshot / screenshotsDocumenting evidence
Obsidian / CherryTreeNote-taking with structure
Mousepad / text editorQuick notes and payload editing
Python 3Scripting custom exploits if needed
NmapPort scanning (may or may not be needed depending on scope)
Wappalyzer / BuiltWithTechnology fingerprinting
Browser dev toolsInspecting DOM, cookies, local storage, network requests

During the Exam

  • Read the Rules of Engagement COMPLETELY before touching the application
  • Screenshot EVERYTHING as you go - do not plan to come back later
  • Take notes on every finding immediately
  • Label screenshots clearly (e.g., 01-sqli-login-payload.png)
  • Test all input fields, parameters, headers, and cookies
  • Check for both GET and POST parameter injection
  • Enumerate directories and files with ffuf
  • Check JavaScript files for API routes, tokens, hardcoded secrets
  • Use Burp Suite Param Miner extension to find hidden parameters
  • Test authentication flows for logic bugs
  • Test access controls between different user roles
  • Check for default credentials on any login panel
  • Restart the lab environment if something breaks (this is allowed)
  • Contact the helpdesk if you have technical issues - they respond quickly
  • Take breaks, sleep, eat - you have 48 hours, use them wisely

Time Management

  • Do NOT rush. People who finish in 8 hours and submit early often fail.
  • Spend the first 2-4 hours on enumeration and understanding the application
  • Spend the next 8-16 hours on systematic vulnerability testing
  • Use remaining time to double-check findings and fill gaps
  • Start the report while testing - do not wait until the report phase
  • Use ALL 48 hours of report time if needed

6. Report Writing

What the Course Teaches About Reporting

Based on the reporting module from the course (transcript 11), here are the key takeaways:

Report Structure

  1. Cover page - Client name, your name/company, date
  2. Table of contents
  3. Confidentiality statement - Snapshot in time, time-limited engagement disclaimer
  4. Contact information
  5. Assessment overview - Dates, methodology (OWASP Testing Guide), scope
  6. Executive summary - High-level, non-technical audience
    • Testing summary (what you did)
    • Scoping and limitations
    • Strengths and weaknesses of the application
    • Vulnerability summary table (severity counts)
    • High-level recommendations
  7. Technical findings - Detailed, for the technical audience
    • Ordered by severity (critical first, informational last)
    • Each finding includes: description, likelihood, impact, CVSS score, affected URL/endpoint, tools used, references (OWASP/CWE), evidence (screenshots), and remediation recommendations
  8. Appendices - Scan results, additional evidence

Per-Finding Template

For each vulnerability, include:

Title: [Vulnerability Type] - [Location/Parameter]
Severity: [Critical/High/Medium/Low/Informational]
CVSS Score: [X.X] (with vector string)
CWE: [CWE-XXX]

Description:
[What the vulnerability is and why it matters - use active voice]

Likelihood: [Low/Medium/High] - [Justify: requires authentication? network access?]
Impact: [Low/Medium/High] - [What can an attacker actually do?]

Affected Asset: [URL or endpoint]
Tools Used: [Burp Suite, SQLMap, etc.]

References:
- OWASP: [link]
- CWE: [link]

Evidence:
[Screenshot 1 - description]
[Screenshot 2 - description]
[Step-by-step reproduction instructions]

Remediation:
[Specific, actionable recommendations with references]

Report Writing Best Practices (from the course)

  • Two audiences: Executives (non-technical summary) and technical staff (detailed findings)
  • Be consistent: Formatting, font, justified alignment, punctuation (if one recommendation has a period at the end, they all should)
  • Active voice: “The application permits path traversal” - not “path traversal was observed”
  • Clear steps to reproduce: Someone should be able to replicate every finding from your report alone
  • Stack findings narratively: Show how multiple issues compound (e.g., no MFA + weak password policy + no account lockout + user enumeration = recipe for account takeover)
  • Good screenshots: Annotate them, highlight relevant data, blur sensitive info
  • CVSS scoring: Include base score and vector string. Consider likelihood and impact together.
  • Remediation should be comprehensive: Not just “sanitize input” but also mention WAF, CSP headers, security headers, and defense-in-depth measures
  • QA your report: Proofread for typos, missing finding numbers, inconsistent formatting. A sloppy report undermines your credibility.
  • Do not overload with detail: Be clear and concise. 29 pages covering findings well is better than 60 pages of noise.

CVSS Scoring Quick Reference

RatingScore Range
Critical9.0 - 10.0
High7.0 - 8.9
Medium4.0 - 6.9
Low0.1 - 3.9
Informational0.0

Use the FIRST.org calculator: https://www.first.org/cvss/calculator/3.1


7. Common Mistakes

From the Course (Triager’s Perspective - Top 10 Mistakes)

  1. Lack of information - Insufficient details, no clear reproduction steps, incomplete proof of concept. This is the number one mistake. Video/screenshots must be accompanied by text payloads and URLs - do not make the reader type from images.
  2. Ignoring program requirements - Testing out-of-scope assets, violating rules of engagement.
  3. Exaggerating severity - Calling a self-XSS “critical” will damage your credibility.
  4. Not considering user impact - Focus on real-world impact, not just the technical details.
  5. Noisy reports - Do not submit three separate reports for the same XSS with different payloads. Consolidate into one comprehensive report.
  6. Submitting low-impact issues - A spelling error is not a security vulnerability.
  7. Disregarding communication etiquette - Stay professional even when frustrated.
  8. Leaking information - Never publicly disclose vulnerabilities before remediation.
  9. Unrealistic payout expectations - Understand the severity ratings and bounty tables.
  10. Failing to verify and validate - Always confirm a vulnerability is reproducible before reporting.

Exam-Specific Mistakes (from community reviews)

  • Not using all the time: People who rush through in 12 hours and submit early often fail. Use the full 48+48 hours.
  • Skipping low-severity findings: The exam expects a thorough assessment. Report EVERYTHING - missing headers, information disclosure, weak session management. These show professionalism.
  • Poor screenshots: Taking screenshots after the fact wastes hours recreating steps. Screenshot as you go.
  • Not reading the Rules of Engagement: These contain the passing criteria and scope. Missing something here can mean instant disqualification.
  • Treating it like a CTF: This is a simulated real-world pentest. There are no flags. Your deliverable is a professional report.
  • Weak enumeration: Spending 20 minutes on enumeration and jumping straight to exploitation. Enumerate directories, parameters, JavaScript files, API endpoints, cookies, headers - be thorough.
  • Not restarting the lab: If something breaks or behaves unexpectedly, restart the environment. This is allowed and saves time.
  • Forgetting to test cookies and headers: SQL injection, XSS, and other attacks can target cookies, headers, and hidden parameters - not just visible form fields.
  • Sloppy report formatting: Inconsistent headings, missing screenshots, no CVSS scores, no remediation. The report is what gets graded.

8. Quick Reference - Key Payloads

Keep these handy during the exam. These are starting points, not exhaustive lists.

SQL Injection Detection

' OR 1=1-- -
" OR 1=1-- -
' OR 1=1#
1' ORDER BY 1-- -
' UNION SELECT NULL-- -
' UNION SELECT NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL-- -

XSS Detection

<script>alert(1)</script>
"><script>alert(1)</script>
'><script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
javascript:alert(1)

LFI/Path Traversal

../../../etc/passwd
....//....//....//etc/passwd
..%2f..%2f..%2fetc/passwd
php://filter/convert.base64-encode/resource=index.php
php://filter/convert.base64-encode/resource=db.php

Command Injection

; id
| id
`id`
$(id)
; cat /etc/passwd
| cat /etc/passwd

SSTI Detection

{{7*7}}
${7*7}
<%= 7*7 %>
#{7*7}
{{config}}
{{''.__class__.__mro__[1].__subclasses__()}}

SSRF

http://127.0.0.1
http://localhost
http://127.0.0.1:80/admin
http://[::1]
http://0x7f000001

9. Exam Day Mental Model

1. READ the Rules of Engagement (30 min)
2. ENUMERATE the application thoroughly (2-4 hours)
   - Map all pages, forms, parameters, APIs
   - Fuzz directories and files (ffuf)
   - Identify technology stack
   - Find hidden parameters (Param Miner)
   - Review JavaScript files for secrets/routes
3. TEST each input systematically (8-16 hours)
   - Authentication and session management
   - Every form field, URL parameter, cookie, header
   - File upload functionality
   - API endpoints
   - Access control between user roles
4. DOCUMENT as you go
   - Screenshot every step
   - Note the payload, the response, the impact
5. WRITE the report (use all 48 hours if needed)
   - Executive summary first
   - Technical findings ordered by severity
   - Clear reproduction steps
   - Remediation for every finding
6. QA the report
   - Read it as if you are the client
   - Check formatting consistency
   - Verify every screenshot is labeled and referenced
   - Spell check

Sources