All Practice Exams
100+ Free HTB CWES Practice Questions
HTB Certified Web Exploitation Specialist (formerly CBBH) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
A web application uses client-side JavaScript to enforce authorization (hiding admin buttons), while the server processes all requests without authorization checks. This is an example of which flaw?
A
B
C
D
to track
Same family resources
Explore More Hack The Box Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: HTB CWES Exam
Practical
Exam Format
Hack The Box
7 days
Lab Access Period
Hack The Box
8/10 flags
Passing Requirement
Hack The Box
~$210
Exam Voucher Cost
HTB Academy
3 years
Certification Validity
Hack The Box
5 web apps
Exam Targets
Hack The Box
The HTB CWES (formerly CBBH) from Hack The Box is an advanced practical web exploitation certification. Over a 7-day lab period, candidates must exploit 5 web applications and capture 8 of 10 available flags, then submit a professional penetration testing report. Core technical areas: SQL injection, XSS, SSRF, XXE, LFI/RFI, command injection, file upload vulnerabilities, web API attacks (IDOR, mass assignment, JWT), and vulnerability chaining. Certification is valid 3 years. This practice test covers the theoretical knowledge — the real exam requires live web application exploitation.
Sample HTB CWES Practice Questions
Try these sample questions to test your HTB CWES exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which HTTP header sent by the browser tells the server the full URL of the page that linked to the current request, and is commonly abused to test Referer-based SSRF or origin validation weaknesses?
A.Referer
B.Origin
C.X-Forwarded-For
D.Host
Explanation: The Referer header contains the URL of the linking page and is sent automatically by browsers. Attackers abuse it to bypass Referer-based CSRF protections or trigger SSRF when servers make outbound requests based on its value. Origin is sent in CORS preflight requests, X-Forwarded-For carries proxy IP info, and Host identifies the requested domain.
2In Burp Suite, which tool is used to send a single HTTP request repeatedly with modifications, allowing precise manual testing of individual parameters?
A.Intruder
B.Scanner
C.Repeater
D.Decoder
Explanation: Burp Repeater allows you to manually modify and resend individual HTTP requests and inspect responses in detail. It is the primary tool for validating and exploiting vulnerabilities like SQLi and XSS one payload at a time. Intruder automates fuzzing, Scanner automates vulnerability detection, and Decoder encodes/decodes data.
3A web application appends user input directly to a SQL query: `SELECT * FROM users WHERE id='<input>'`. Which payload causes the application to return all rows by breaking out of the string context?
A.' OR 1=1--
B.UNION SELECT null--
C.'; DROP TABLE users--
D.admin'/*
Explanation: The payload `' OR 1=1--` closes the string with a single quote, adds a condition that is always true (1=1), and comments out the rest of the query. This causes the WHERE clause to match every row. UNION-based payloads require knowing column counts, DROP TABLE is destructive DDL, and admin'/* is a partial comment approach.
4Which SQLMap flag is used to specify the target URL for an injection test?
A.-u
B.-p
C.--dbs
D.--forms
Explanation: SQLMap's `-u` (or `--url`) flag specifies the target URL to test. `-p` specifies a particular parameter to test, `--dbs` enumerates available databases once injection is confirmed, and `--forms` instructs SQLMap to parse and test HTML forms on the page.
5A UNION-based SQL injection attack requires that the injected SELECT statement returns the same number of columns as the original query. Which technique is used to determine the correct column count?
A.ORDER BY incrementing
B.HAVING clause injection
C.Stacked queries
D.Error-based extraction
Explanation: By injecting `ORDER BY 1--`, `ORDER BY 2--`, and so on, an attacker increments the column index until an error occurs, revealing the column count. HAVING clause is used for aggregate filter injection, stacked queries execute additional statements, and error-based extraction uses database error messages to leak data.
6In blind SQL injection, the application returns no data but behaves differently based on query truth. Which subtype uses sleep functions like `SLEEP(5)` to infer results?
A.Error-based injection
B.Boolean-based blind
C.Time-based blind
D.Out-of-band injection
Explanation: Time-based blind SQLi injects sleep functions (e.g., `'; IF(1=1) WAITFOR DELAY '0:0:5'--`) to confirm injections when the response time increases. Boolean-based blind uses conditional true/false responses with no sleep. Error-based reveals data via error messages. Out-of-band sends data via DNS or HTTP to an external server.
7A reflected XSS payload is injected into a search parameter that appears in the HTML body. Which payload is the most basic test to confirm unescaped output?
A.<img src=x onerror=alert(1)>
B.javascript:alert(1)
C.'';!--"<XSS>=&{()}
D.<script>alert(1)</script>
Explanation: The `<img src=x onerror=alert(1)>` payload executes JavaScript via the onerror event handler when the browser fails to load the image src `x`. It works even when `<script>` tags are filtered. The javascript: URI works only in href/src attributes, not in direct HTML injection. HTML entity encoding in the last option would not execute in the browser.
8Stored XSS differs from reflected XSS in that the malicious payload is stored in the application's backend (e.g., database) and executed when other users load the page. Which attack scenario best illustrates stored XSS?
A.Posting a comment containing a script tag that executes for all visitors
B.Injecting a payload into a search box URL that is immediately reflected
C.Using DOM manipulation to redirect after a hash change
D.Encoding a payload in the URL fragment to bypass WAF
Explanation: Stored XSS occurs when the payload is saved server-side (in a database, log file, etc.) and later rendered to other users' browsers. A malicious comment field is the classic example — every visitor who loads the comment section executes the attacker's script. Reflected XSS is tied to the request itself and is not stored.
9In DOM-based XSS, the vulnerability exists entirely in client-side JavaScript. Which of the following is a DOM XSS sink where attacker-controlled data can cause JavaScript execution?
A.document.getElementById()
B.document.cookie
C.innerHTML
D.window.location.hostname
Explanation: innerHTML is a DOM XSS sink because assigning attacker-controlled HTML to it causes the browser to parse and execute any script tags or event handlers in that string. document.getElementById() is a source/selector, document.cookie reads cookie values, and window.location.hostname extracts the hostname from the URL.
10Which Content Security Policy (CSP) directive restricts which origins can serve scripts, directly mitigating reflected and stored XSS?
A.script-src 'self'
B.X-Content-Type-Options: nosniff
C.X-Frame-Options: DENY
D.Strict-Transport-Security
Explanation: The CSP `script-src 'self'` directive tells browsers to only execute scripts from the same origin as the page, blocking attacker-injected scripts from external origins. X-Content-Type-Options prevents MIME-type sniffing, X-Frame-Options prevents clickjacking, and HSTS enforces HTTPS but does not restrict script sources.
About the HTB CWES Practice Questions
Verified exam format metadata for HTB Certified Web Exploitation Specialist (formerly CBBH) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.