Exam Prep - PWPA (Practical Web Pentest Associate)
Note: The certification was originally called “PJWT” (Practical Junior Web Tester) and was renamed to “PWPA” (Practical Web Pentest Associate) in November 2024. The exam itself has not changed - only the name. This is the entry-level web application pentesting certification from TCM Security.
1. Exam Format
| Detail | Info |
|---|---|
| Duration | 48 hours to test + 48 hours to write the report (4 days total) |
| Format | 100% practical - you pentest a live web application |
| Environment | Cloud-hosted web app accessible via VPN |
| Proctoring | Non-proctored (no intrusive monitoring software) |
| Monitoring | Network traffic is monitored for cheating detection |
| Flags | ZERO flags to capture - this is not a CTF |
| Multiple choice | ZERO multiple choice questions |
| Tools | Any tools permitted, as long as you disclose them in the report |
| Retakes | One free retake included with every voucher |
| Voucher validity | 12 months from purchase |
| Price | ~$199 (discounts for military/veterans/students - 20% off) |
| Prerequisite course | Practical Bug Bounty / Practical Web Application Penetration Testing |
Passing Criteria
- Successfully exploit vulnerabilities in the target web application
- Deliver a detailed, professionally written penetration testing report
- Stay within scope and follow the Rules of Engagement (violating these = disqualification)
- The report is weighted heavily - finding vulns is only half the battle
What You Get
- 9+ hours on-demand training (12-month access)
- Hands-on local labs
- 1 exam attempt + 1 free retake
- 24/7/365 course support
- Digital certification (printable)
2. What to Expect
Vulnerability Categories Most Likely to Appear
Based on the course content and community reviews, expect a mix of these vulnerability types. The exam tests OWASP Top 10 fundamentals.
High probability (core course topics):
- SQL Injection (union-based, blind boolean, blind time-based, second-order)
- Cross-Site Scripting (reflected, stored, DOM-based)
- Local/Remote File Inclusion (LFI/RFI with filter bypasses)
- Authentication flaws (brute-force, MFA bypass, logic issues)
- Broken Access Control / IDOR (horizontal and vertical privilege escalation)
- Command Injection
- Insecure File Upload
- Server-Side Template Injection (SSTI)
Medium probability:
- Cross-Site Request Forgery (CSRF) with token bypass
- Server-Side Request Forgery (SSRF) and Blind SSRF
- XML External Entity (XXE) Injection
- Open Redirects
- Insecure session management
Lower probability but worth knowing:
- Subdomain takeover (conceptual - hard to test in a lab)
- Vulnerable/outdated components
- Information disclosure (security headers, server banners)
Key Exam Characteristics
- This is a single web application, not a network
- Treat it like a real-world pentest engagement, not a CTF
- You will likely find multiple vulnerabilities of varying severity
- Report low, medium, AND high findings - do not skip low-severity issues
- Enumeration reveals 80% of the attack surface - do not skip it
- The passing criteria are only revealed in the Rules of Engagement when you start the exam
- READ THE RULES OF ENGAGEMENT CAREFULLY before you begin testing
3. Study Strategy
Where You Are
You have watched the course twice - once passively and once actively with notes. That puts you ahead of most candidates. Here is what to do next:
Step 1: Redo Every Course Lab From Scratch (1-2 weeks)
- Reset all labs and solve them without looking at the walkthrough
- If you get stuck for more than 30 minutes, check hints (not the full solution)
- For each lab, write down: the vulnerability type, how you found it, the payload, and remediation
- Build muscle memory with Burp Suite - you should be fast with Repeater, Intruder, and the Proxy
Step 2: Build Your Checklists (2-3 days)
Create a checklist for each vulnerability type you can reference during the exam:
- Authentication testing checklist
- SQL injection testing checklist (with payloads for MySQL, PostgreSQL, etc.)
- XSS testing checklist (with filter bypass payloads)
- LFI/RFI testing checklist (with PHP wrappers and filter bypass)
- File upload testing checklist (extension bypasses, magic bytes, etc.)
- SSTI testing checklist (with detection payloads per engine)
- SSRF testing checklist
- CSRF testing checklist
- Command injection testing checklist
Resource: The course references https://appsecexplained.gitbook.io which has checklists per vulnerability type.
Step 3: Practice on External Labs (1-2 weeks)
See Section 4 below for specific labs.
Step 4: Do a Timed Mock Exam (1 weekend)
- Pick a vulnerable web app (like OWASP Juice Shop or a TryHackMe room)
- Give yourself 8 hours to find as many vulns as possible
- Spend 4 hours writing a full pentest report
- This builds time management and report writing skills simultaneously
Step 5: Prepare Your Report Template (1 day)
- Build your template BEFORE exam day (see Section 6)
- Have sections pre-filled with boilerplate text
- Include placeholders for screenshots, CVSS scores, and remediation
4. Practice Resources
PortSwigger Web Security Academy (FREE - highest priority)
URL: https://portswigger.net/web-security
Work through these labs in order of exam relevance:
| Topic | Labs to Complete |
|---|---|
| SQL Injection | All “Apprentice” and “Practitioner” labs |
| Cross-Site Scripting | All “Apprentice” labs + reflected/stored “Practitioner” labs |
| Authentication | All labs (brute force, MFA bypass, logic flaws) |
| Access Control | All “Apprentice” and “Practitioner” IDOR labs |
| File Upload | All labs |
| SSRF | All “Apprentice” labs |
| XXE | All “Apprentice” labs |
| CSRF | All “Apprentice” labs |
| OS Command Injection | All labs |
| Directory Traversal/LFI | All labs |
| SSTI | All “Apprentice” labs |
TryHackMe (some free, some require subscription)
Relevant rooms:
- OWASP Top 10 (free)
- OWASP Juice Shop
- SQL Injection
- Cross-Site Scripting
- Web Fundamentals
- Burp Suite: The Basics / Repeater / Intruder
- Upload Vulnerabilities
- SSRF
- Authentication Bypass
- IDOR
- Command Injection
HackTheBox (subscription recommended)
URL: https://app.hackthebox.com
Relevant challenges and machines:
- HTB Academy: Web Requests, Introduction to Web Applications, SQL Injection Fundamentals
- Starting Point machines with web components
PentesterLab (subscription)
- “Web for Pentester” exercises (free)
- “Essential” badge exercises cover SQLi, XSS, File Inclusion, Code Injection, Command Injection, LDAP Injection, File Upload, XML attacks
OWASP Juice Shop (FREE)
URL: https://owasp.org/www-project-juice-shop/
- Install locally:
docker run -p 3000:3000 bkimminich/juice-shop - Great for practicing SQLi, XSS, broken auth, broken access control, and more
- Has a built-in scoreboard to track progress
Other Resources
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings - payload reference for every vuln type
- HackTricks: https://book.hacktricks.wiki/ - methodology and cheat sheets
- SecLists: https://github.com/danielmiessler/SecLists - wordlists for fuzzing (install with
sudo apt install seclists) - Burp Suite Documentation: https://portswigger.net/burp/documentation
5. Exam Day Checklist
Before You Start
- Burp Suite configured and working (Community or Pro)
- Browser proxied through Burp Suite with certificate installed
- VPN client installed and tested
- Report template ready (see Section 6)
- Note-taking tool open (Obsidian, CherryTree, or OneNote)
- Screenshot tool ready (Flameshot on Linux:
sudo apt install flameshot) - Terminal multiplexer set up (tmux) for running multiple tools
- SecLists installed (
sudo apt install seclists) - ffuf installed and working
- SQLMap installed and working
- Your vulnerability checklists printed or open in a separate window
- PayloadsAllTheThings bookmarked or cloned locally
- Plenty of water and snacks available
- Phone on silent / distractions eliminated
Tools to Have Ready
| Tool | Purpose |
|---|---|
| Burp Suite | Proxy, Repeater, Intruder, Decoder |
| ffuf | Directory/file fuzzing, parameter fuzzing, brute forcing |
| SQLMap | SQL injection detection and exploitation |
| curl | Quick HTTP requests from the terminal |
| Flameshot / screenshots | Documenting evidence |
| Obsidian / CherryTree | Note-taking with structure |
| Mousepad / text editor | Quick notes and payload editing |
| Python 3 | Scripting custom exploits if needed |
| Nmap | Port scanning (may or may not be needed depending on scope) |
| Wappalyzer / BuiltWith | Technology fingerprinting |
| Browser dev tools | Inspecting DOM, cookies, local storage, network requests |
During the Exam
- Read the Rules of Engagement COMPLETELY before touching the application
- Screenshot EVERYTHING as you go - do not plan to come back later
- Take notes on every finding immediately
- Label screenshots clearly (e.g.,
01-sqli-login-payload.png) - Test all input fields, parameters, headers, and cookies
- Check for both GET and POST parameter injection
- Enumerate directories and files with ffuf
- Check JavaScript files for API routes, tokens, hardcoded secrets
- Use Burp Suite Param Miner extension to find hidden parameters
- Test authentication flows for logic bugs
- Test access controls between different user roles
- Check for default credentials on any login panel
- Restart the lab environment if something breaks (this is allowed)
- Contact the helpdesk if you have technical issues - they respond quickly
- Take breaks, sleep, eat - you have 48 hours, use them wisely
Time Management
- Do NOT rush. People who finish in 8 hours and submit early often fail.
- Spend the first 2-4 hours on enumeration and understanding the application
- Spend the next 8-16 hours on systematic vulnerability testing
- Use remaining time to double-check findings and fill gaps
- Start the report while testing - do not wait until the report phase
- Use ALL 48 hours of report time if needed
6. Report Writing
What the Course Teaches About Reporting
Based on the reporting module from the course (transcript 11), here are the key takeaways:
Report Structure
- Cover page - Client name, your name/company, date
- Table of contents
- Confidentiality statement - Snapshot in time, time-limited engagement disclaimer
- Contact information
- Assessment overview - Dates, methodology (OWASP Testing Guide), scope
- Executive summary - High-level, non-technical audience
- Testing summary (what you did)
- Scoping and limitations
- Strengths and weaknesses of the application
- Vulnerability summary table (severity counts)
- High-level recommendations
- Technical findings - Detailed, for the technical audience
- Ordered by severity (critical first, informational last)
- Each finding includes: description, likelihood, impact, CVSS score, affected URL/endpoint, tools used, references (OWASP/CWE), evidence (screenshots), and remediation recommendations
- Appendices - Scan results, additional evidence
Per-Finding Template
For each vulnerability, include:
Title: [Vulnerability Type] - [Location/Parameter]
Severity: [Critical/High/Medium/Low/Informational]
CVSS Score: [X.X] (with vector string)
CWE: [CWE-XXX]
Description:
[What the vulnerability is and why it matters - use active voice]
Likelihood: [Low/Medium/High] - [Justify: requires authentication? network access?]
Impact: [Low/Medium/High] - [What can an attacker actually do?]
Affected Asset: [URL or endpoint]
Tools Used: [Burp Suite, SQLMap, etc.]
References:
- OWASP: [link]
- CWE: [link]
Evidence:
[Screenshot 1 - description]
[Screenshot 2 - description]
[Step-by-step reproduction instructions]
Remediation:
[Specific, actionable recommendations with references]
Report Writing Best Practices (from the course)
- Two audiences: Executives (non-technical summary) and technical staff (detailed findings)
- Be consistent: Formatting, font, justified alignment, punctuation (if one recommendation has a period at the end, they all should)
- Active voice: “The application permits path traversal” - not “path traversal was observed”
- Clear steps to reproduce: Someone should be able to replicate every finding from your report alone
- Stack findings narratively: Show how multiple issues compound (e.g., no MFA + weak password policy + no account lockout + user enumeration = recipe for account takeover)
- Good screenshots: Annotate them, highlight relevant data, blur sensitive info
- CVSS scoring: Include base score and vector string. Consider likelihood and impact together.
- Remediation should be comprehensive: Not just “sanitize input” but also mention WAF, CSP headers, security headers, and defense-in-depth measures
- QA your report: Proofread for typos, missing finding numbers, inconsistent formatting. A sloppy report undermines your credibility.
- Do not overload with detail: Be clear and concise. 29 pages covering findings well is better than 60 pages of noise.
CVSS Scoring Quick Reference
| Rating | Score Range |
|---|---|
| Critical | 9.0 - 10.0 |
| High | 7.0 - 8.9 |
| Medium | 4.0 - 6.9 |
| Low | 0.1 - 3.9 |
| Informational | 0.0 |
Use the FIRST.org calculator: https://www.first.org/cvss/calculator/3.1
7. Common Mistakes
From the Course (Triager’s Perspective - Top 10 Mistakes)
- Lack of information - Insufficient details, no clear reproduction steps, incomplete proof of concept. This is the number one mistake. Video/screenshots must be accompanied by text payloads and URLs - do not make the reader type from images.
- Ignoring program requirements - Testing out-of-scope assets, violating rules of engagement.
- Exaggerating severity - Calling a self-XSS “critical” will damage your credibility.
- Not considering user impact - Focus on real-world impact, not just the technical details.
- Noisy reports - Do not submit three separate reports for the same XSS with different payloads. Consolidate into one comprehensive report.
- Submitting low-impact issues - A spelling error is not a security vulnerability.
- Disregarding communication etiquette - Stay professional even when frustrated.
- Leaking information - Never publicly disclose vulnerabilities before remediation.
- Unrealistic payout expectations - Understand the severity ratings and bounty tables.
- Failing to verify and validate - Always confirm a vulnerability is reproducible before reporting.
Exam-Specific Mistakes (from community reviews)
- Not using all the time: People who rush through in 12 hours and submit early often fail. Use the full 48+48 hours.
- Skipping low-severity findings: The exam expects a thorough assessment. Report EVERYTHING - missing headers, information disclosure, weak session management. These show professionalism.
- Poor screenshots: Taking screenshots after the fact wastes hours recreating steps. Screenshot as you go.
- Not reading the Rules of Engagement: These contain the passing criteria and scope. Missing something here can mean instant disqualification.
- Treating it like a CTF: This is a simulated real-world pentest. There are no flags. Your deliverable is a professional report.
- Weak enumeration: Spending 20 minutes on enumeration and jumping straight to exploitation. Enumerate directories, parameters, JavaScript files, API endpoints, cookies, headers - be thorough.
- Not restarting the lab: If something breaks or behaves unexpectedly, restart the environment. This is allowed and saves time.
- Forgetting to test cookies and headers: SQL injection, XSS, and other attacks can target cookies, headers, and hidden parameters - not just visible form fields.
- Sloppy report formatting: Inconsistent headings, missing screenshots, no CVSS scores, no remediation. The report is what gets graded.
8. Quick Reference - Key Payloads
Keep these handy during the exam. These are starting points, not exhaustive lists.
SQL Injection Detection
' OR 1=1-- -
" OR 1=1-- -
' OR 1=1#
1' ORDER BY 1-- -
' UNION SELECT NULL-- -
' UNION SELECT NULL,NULL-- -
' UNION SELECT NULL,NULL,NULL-- -
XSS Detection
<script>alert(1)</script>
"><script>alert(1)</script>
'><script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
javascript:alert(1)
LFI/Path Traversal
../../../etc/passwd
....//....//....//etc/passwd
..%2f..%2f..%2fetc/passwd
php://filter/convert.base64-encode/resource=index.php
php://filter/convert.base64-encode/resource=db.php
Command Injection
; id
| id
`id`
$(id)
; cat /etc/passwd
| cat /etc/passwd
SSTI Detection
{{7*7}}
${7*7}
<%= 7*7 %>
#{7*7}
{{config}}
{{''.__class__.__mro__[1].__subclasses__()}}
SSRF
http://127.0.0.1
http://localhost
http://127.0.0.1:80/admin
http://[::1]
http://0x7f000001
9. Exam Day Mental Model
1. READ the Rules of Engagement (30 min)
2. ENUMERATE the application thoroughly (2-4 hours)
- Map all pages, forms, parameters, APIs
- Fuzz directories and files (ffuf)
- Identify technology stack
- Find hidden parameters (Param Miner)
- Review JavaScript files for secrets/routes
3. TEST each input systematically (8-16 hours)
- Authentication and session management
- Every form field, URL parameter, cookie, header
- File upload functionality
- API endpoints
- Access control between user roles
4. DOCUMENT as you go
- Screenshot every step
- Note the payload, the response, the impact
5. WRITE the report (use all 48 hours if needed)
- Executive summary first
- Technical findings ordered by severity
- Clear reproduction steps
- Remediation for every finding
6. QA the report
- Read it as if you are the client
- Check formatting consistency
- Verify every screenshot is labeled and referenced
- Spell check
Sources
- TCM Security PWPA Certification Page: https://certifications.tcm-sec.com/pwpa/
- How to Pass the PWPA Exam (TCM Blog): https://tcm-sec.com/the-practical-web-pentest-pwpa-exam/
- TCM Web Pentester Certification Roadmap: https://tcm-sec.com/tcm-web-pentester-certification-roadmap/
- PWPA - Everything You Need to Know (Kyser Clark): https://www.kyserclark.com/post/pwpa-everything-you-need-to-know
- How I Passed the PWPA (coy0te): https://coy0te.medium.com/how-i-passed-the-pwpa-by-tcm-security-431d80f97d1b
- Breaking Into Web App Security - PWPA Journey (LtReborn): https://medium.com/@LtReborn/breaking-into-web-app-security-my-journey-through-the-pwpa-certification-f150a5099722
- AppSec Explained Checklist: https://appsecexplained.gitbook.io
- PortSwigger Web Security Academy: https://portswigger.net/web-security
- FIRST.org CVSS Calculator: https://www.first.org/cvss/calculator/3.1
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings