In this review, I want to share my full eWPTXv3 experience — how I studied, how the exam was, and some useful tips . Let's get started.
What did I study?
Before preparing for the eWPTX exam, I had a basic level of knowledge in web security. So, I started with eWPT and then moved on to eWPTX.
After finishing the eWPT course (without taking the exam), I started preparing for eWPTX using this approach:
- Study each topic from INE (Alexis Ahmed)
- Ask ChatGPT to go deeper into each topic
- Practice on PortSwigger (this is the most important step)
How was the exam?
The exam was at an intermediate level — not as hard as I expected.
Maybe the hardest part of the exam for me was searching for the CVEs. It was painful, but the other bugs were straightforward.
If you practice well on PortSwigger, you should be able to solve most of the exam challenges.
For scanning and enumeration, I mainly used:
- nmap
- whatweb
- dirb
In my case, the exam focused mostly on:
- JWT
- SQL Injection
- API Testing
- CVEs
I also had one question about deserialization.
Some people reported NoSQL injection challenges, but I didn't encounter any in my exam.
tips
- Read the letter of engagment carefullty
- write notes for every target and organize it
- don't write your notes in INE machine
- Do a quick recon on all targets before going deep into exploitation
Wordlists
- Users: /usr/share/metasploit-framework/data/wordlists/unix_users.txt
- Passwords: /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt /usr/share/seclists/Passwords/rockyou.txt
- JWT Secrets: /usr/share/seclists/Passwords/scraped-JWT-secrets.txt
- Directory Fuzzing: /usr/share/wordlists/dirbuster/ /usr/share/seclists/Discovery/Web-Content/
This review does not disclose any exam content and is based only on my personal experience.
Thank you for reading, and I wish you all the best.
LinkedIn: https://www.linkedin.com/in/hamad-alsayegh-36702b380 Twitter: https://x.com/rz7zr