CWES Cheatsheet
this is my personal cheatsheet collection for the Certified Web Exploitation Specialist (CWES) cert. i’m sharing the structure and tools i used while studying, not to hand you answers, but hopefully to inspire you to build your own.
go through the topics, pick up the tools, and make your own notes. that’s how it actually sticks.
Topics
| Attack Vector | Tools / Commands | Key Topics |
|---|---|---|
| Passive Recon | host, wafw00f, whois, google dork, wayback | Public info, subdomain recon, infrastructure ID |
| Active Recon | nslookup, dnsrecon, dnsenum, dig, fierce | Subdomain enum, VHOST, zone transfers, DNS |
| Fuzzing | ffuf, Gobuster, Wenum, Feroxbuster | Dir/page/extension/param/API fuzzing |
| XSS | XSStrike, Brute XSS, XSSer | Stored, Reflected, DOM-based |
| SQL Injection | SQLMap, manual SQL | SQLi fundamentals, SQLMap essentials |
| Command Injection | Blacklist filters | Filter bypass techniques |
| File Upload | Client-side/blacklist/whitelist/content-type bypass | Upload filter bypasses |
| File Inclusion | LFI, PHPWrapper | LFI, PHP wrappers |
| Server-Side Attacks | SSRF, SSTI, SSI, XSLT | Server-side injection techniques |
| Login Brute Forcing | Hydra, hashcat | Brute force, password cracking |
| Broken Authentication | — | Auth bypass techniques |
| Web Attacks | HTTP Verb Tamper, IDOR, XXE | Verb tampering, IDOR, XXE |
| Attacking GraphQL | GraphQL | Enumeration, exploitation |
| API Attacks | REST | REST API attack techniques |
| Attacking Common Applications | — | Common app exploitation |
| JavaScript Deobfuscation | — | JS deobfuscation techniques |
This post is licensed under CC BY 4.0 by the author.