All Practice Exams
100+ Free HTB CWEE Practice Questions
HTB Certified Web Exploitation Expert practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
When reviewing a Node.js application for client-side prototype pollution, which JSON merge library version was historically vulnerable and is an important finding during dependency review?
A
B
C
D
to track
Same family resources
Explore More Hack The Box Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: HTB CWEE Exam
10 days
Exam Duration
Hack The Box
5 of 6
Flags to Pass
HTB CWEE community reviews
15 modules
Senior Web Pentester Path
HTB Academy
3 apps
Exam Applications (WB/GB/BB)
Hack The Box
1 free
Retake Included
Hack The Box
Expert
Difficulty Rating
Hack The Box Academy
HTB CWEE is an expert-level, fully hands-on web security certification requiring exploitation of 3 real-world applications (white-box, gray-box, black-box) over 10 days. Candidates must capture 5 of 6 flags and submit a professional penetration test report. Prerequisites include completing the 15-module Senior Web Penetration Tester path on HTB Academy. The exam targets advanced techniques: SSTI, prototype pollution, JWT/OAuth exploitation, request smuggling, deserialization chains, web cache poisoning, and white-box source code review with custom exploit development.
Sample HTB CWEE Practice Questions
Try these sample questions to test your HTB CWEE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1In a Server-Side Template Injection (SSTI) attack against a Jinja2 application, which payload is used to enumerate the MRO (Method Resolution Order) and reach the 'os' module for Remote Code Execution?
A.{{''.__class__.__mro__[1].__subclasses__()}}
B.{{7*7}}
C.${7*7}
D.<%=7*7%>
Explanation: In Jinja2 SSTI, {{''.__class__.__mro__[1].__subclasses__()}} traverses the Python MRO from the empty string's class (str) up to 'object', then enumerates all subclasses to find classes that expose OS-level primitives like subprocess.Popen. The other payloads either just test for SSTI ({{7*7}}), are FreeMarker/Spring EL syntax (${7*7}), or are ERB (<%=7*7%>) and won't work in Jinja2.
2Which Jinja2 SSTI sandbox-escape technique uses the '__globals__' attribute to access the 'os' module without relying on '__subclasses__()'?
A.{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
B.{{''.__class__.__mro__[-1].__subclasses__()[40]('/etc/passwd').read()}}
C.{{request.application.__globals__.__builtins__.__import__('os').system('id')}}
D.{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}
Explanation: config.__class__.__init__.__globals__['os'] directly accesses the 'os' module through the config object's class's __init__ method's global namespace, bypassing the need to enumerate subclasses. This is a common sandbox-bypass technique because the config object is often accessible in Flask/Jinja2 contexts and its __globals__ exposes the full Python builtins.
3When testing for SSTI, an application returns '49' for {{7*7}} but '7*7' for ${7*7}. Which template engine is most likely in use?
A.Jinja2 (Python)
B.Twig (PHP)
C.FreeMarker (Java)
D.Velocity (Java)
Explanation: Jinja2 uses double-curly-brace syntax {{...}} for expression evaluation, which evaluates {{7*7}} to 49. It does not process ${7*7} syntax, which is used by FreeMarker and Spring EL. This characteristic response pattern (double-brace works, dollar-brace fails) is a reliable fingerprint for Jinja2/Python-based templates.
4In a JavaScript prototype pollution attack, which property path is most commonly targeted to pollute the base Object prototype?
A.obj.__defineGetter__
B.obj.__lookupGetter__
C.obj.prototype.constructor
D.obj.constructor.prototype
Explanation: Prototype pollution targets Object.prototype by traversing obj.constructor.prototype. Since obj.constructor points to the Object constructor function, and .prototype is that constructor's prototype, any property set on obj.constructor.prototype propagates to all JavaScript objects. Payloads like {'constructor':{'prototype':{'isAdmin':true}}} are the canonical pollution vector.
5A web application merges user-supplied JSON into a configuration object using a recursive deep-merge function. An attacker sends {"__proto__":{"isAdmin":true}}. What is the primary risk?
A.All subsequently created objects inherit isAdmin:true, enabling privilege escalation
B.The server crashes due to circular reference detection
C.The JSON parser rejects the __proto__ key as invalid syntax
D.Only the merged object is affected; other objects remain unmodified
Explanation: When a deep-merge function sets object['__proto__']['isAdmin'] = true, it modifies Object.prototype directly because __proto__ is a special property that references the prototype chain root. All subsequently created plain JavaScript objects inherit isAdmin:true from the polluted prototype, enabling privilege escalation checks like if(user.isAdmin) to evaluate true for all users.
6Which HTTP request smuggling variant exploits a discrepancy where the front-end proxy uses Content-Length and the back-end uses Transfer-Encoding?
A.TE.TE (Transfer-Encoding obfuscation)
B.TE.CL (Transfer-Encoding front-end, Content-Length back-end)
C.CL.CL (conflicting Content-Length headers)
D.CL.TE (Content-Length front-end, Transfer-Encoding back-end)
Explanation: CL.TE smuggling occurs when the front-end proxy determines request boundaries using Content-Length while the back-end server prefers Transfer-Encoding: chunked. The attacker crafts a body that Content-Length reads as one complete request, but the back-end's chunked parsing leaves a malicious prefix that prepends to the next victim's request.
7To confirm CL.TE HTTP Request Smuggling using Burp Suite, which timing-based technique distinguishes a smuggled request from normal network latency?
A.Send the request and observe a 400 Bad Request response
B.Check for duplicate Content-Length headers in the response
C.Send a CL.TE probe that causes the back-end to wait for additional chunked data, resulting in a delayed response
D.Observe whether the server returns a 501 Not Implemented for chunked encoding
Explanation: The standard CL.TE timing probe sends a request where the Content-Length body is 'complete' but the chunked body ends with a non-terminating chunk (e.g., the last chunk size is 5 but only a small prefix is sent). The back-end, parsing chunked encoding, waits for the remaining chunk data, causing a noticeable delay (typically 10+ seconds). This confirms the back-end is interpreting chunked encoding.
8Which JWT attack involves forging a token by changing the algorithm from RS256 to HS256 and signing it with the server's public key as the HMAC secret?
A.JWT header injection
B.Algorithm confusion (alg=none bypass)
C.Algorithm confusion (RS256 to HS256)
D.JWT kid path traversal
Explanation: The RS256-to-HS256 algorithm confusion attack exploits libraries that check the algorithm at verification time without enforcing which algorithm is expected. If the server's RSA public key is obtainable (e.g., from /jwks.json), the attacker sets alg to HS256 and signs the JWT with the public key as the HMAC secret. The server's verification code uses the public key as the HMAC secret, successfully validating the forged token.
9A JWT contains the header parameter "jku": "https://attacker.com/jwks.json". What attack does this enable?
A.The attacker injects SQL through the jku URL parameter
B.The attacker uses the jku to perform SSRF against internal services
C.The attacker modifies the JWT payload without invalidating the signature
D.The attacker hosts a crafted JWKS at the URL, signs a forged JWT with their private key, and the server fetches and validates against the attacker's public key
Explanation: The 'jku' (JWK Set URL) header parameter specifies a URL from which the server fetches the JSON Web Key Set for signature verification. If the server does not whitelist allowed jku values, an attacker can generate their own RSA key pair, host the public key at their controlled URL, sign a forged JWT with their private key, and inject that URL in the jku header. The server fetches the attacker's JWKS and verifies the signature as valid.
10In an OAuth 2.0 authorization code flow, which attack exploits a missing or predictable 'state' parameter to perform CSRF on the authorization endpoint?
A.Authorization code interception via open redirect
B.Refresh token exhaustion attack
C.OAuth CSRF via state parameter absence
D.Scope escalation via token reuse
Explanation: The OAuth 'state' parameter is a CSRF token unique to each authorization request. Without it (or when it is predictable), an attacker can craft a malicious authorization URL, trick a victim's browser into completing the OAuth flow, and link the attacker's account to the victim's session. This gives the attacker authenticated access using the victim's identity.
About the HTB CWEE Practice Questions
Verified exam format metadata for HTB Certified Web Exploitation Expert is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.