The Unofficial HTB CWES Notes: Previously HTB CBBH

The Unofficial HTB CWES Notes: Previously HTB CBBH

If you are transitioning from the Old HTB CBBH (Certified Bug Bounty Hunter) to the newly rebranded HackTheBox Certified Web Exploitation Specialist (HTB CWES), you already know that the game has changed.

The bug hunter title is out, and "specialist" is in and for good reason.

The exam is a rigorous, 7-day black-box engagement that demands a professional methodology.

These HTB CWES Notes are your definitive  companion, consolidating over 280 pages of updated attack vectors, API exploitation workflows, and exam-specific survival strategies. Whether you are a developer looking to secure your code or a sysadmin needing a network admin cheat sheet for security auditing, this guide bridges the gap between scattered documentation and a passing grade.

The Old HTB CBBH is Dead

The shift from CBBH to CWES isn't just cosmetic; it represents a pivot toward modern, API-heavy environments. These notes cut through the confusion of the rebrand, clarifying exactly what has changed specifically the heavy new emphasis on GraphQL and API attacks.

While the exam format remains a grueling 7-day assessment, the content now requires you to master mass assignment, IDORs in RESTful services, and intricate GraphQL introspection attacks. This guide explicitly highlights these new domains, ensuring you don't walk into the exam prepared for 2020 while the target is running 2026 architecture.

API & GraphQL

This is where most candidates fail, and it is where this book shines. The notes provide a dedicated deep dive into Web Service & API Attacks, moving far beyond basic parameter tampering. You will find actionable workflows for dissecting GraphQL endpoints from enabling introspection to performing "batching attacks" that bypass rate limits.

The guide explains how to uncover Zombie Endpoints that developers forgot to document and how to exploit Server-Side Parameter Pollution (SSPP) to manipulate internal backend requests. If you don't have a methodology for testing mass assignment or improperly bound data objects, you are flying blind. These notes give you the checklist you need to see the invisible.

Reconnaissance

You can't hack what you can't find. While focused on web exploitation, this guide serves as a powerful network admin cheat sheet for reconnaissance. It details advanced Nmap strategies for infrastructure identification, DNS enumeration techniques (including zone transfers), and extensive subdomain brute-forcing workflows using tools like ffuf and gobuster.

It covers the use of actions to fingerprint web servers and WAFs, ensuring you understand the underlying network topology before you throw a single web exploit. This section is invaluable not just for pentesters, but for network admins who need to audit their own perimeter visibility.

SQLi, XSS, & SSRF

The classics never die, but they do evolve. This book offers exhaustive "Kill Chains" for the OWASP Top 10. You will find step-by-step procedures for SQL Injection (including blind and boolean-based), Cross-Site Scripting (XSS) deobfuscation, and Server-Side Request Forgery (SSRF).

The notes don't just list payloads; they explain the why and how of bypassing filters. You’ll learn to chain vulnerabilities turning a low-impact file upload into a critical Remote Code Execution (RCE) by leveraging wrapper filters or image converters. It also includes a critical section on SSTI (Server-Side Template Injection), a vulnerability often overlooked until it grants shell access.

Exam Strategy

Success in the HackTheBox Certified Web Exploitation Specialist exam is 40% technical skill and 60% time management. These notes provide a battle-tested exam strategy, introducing the "30-Minute Rule" to prevent rabbit holes and a "Master Vulnerability Checklist" to ensure comprehensive coverage.

Crucially, it emphasizes reporting, the actual deliverable of the exam teaching you how to document your findings professionally as you go, so you aren't left scrambling to write a 50-page report on Day 7.

Start Below

Click Below to Buy the Full HTB CWES Notes Book Now

https://shop.motasem-notes.net/products/hackthebox-certified-web-exploitation-specialist-htb-cwes-study-notes-guide-unofficial

0 comments

Leave a comment

Our Best Pick of Cyber Security Notes
The COMPTIA SECAI+ Study Notes + Practical AI Security Defence Guide

Cyber Security Certification Notes

The Kali Linux Pentesting Cheat Sheet

Cyber Security Study Guides

Master AI for Content Creation, Business & Marketing

AI & ML Study Guides

The Definitive Networking Cheat Sheet (Tools)

IT Study Guides

Cybersecurity · Offensive & Defensive · Practitioner-First

Stop reading docs.
Start thinking like an attacker.

Field-ready notes, methodology breakdowns, and certification cheat sheets built by a practitioner for practitioners.

Browse Free Notes Unlock Premium →
62K+YouTube Subscribers
20K+Web Visitors
4K+Students and Professionals Using The Notes

What's in the vault

Two tiers.
One clear mission.

Whether you're just getting started or deep in the trenches, there's a tier built for where you are right now. Free notes cover the essentials — premium unlocks the full playbook.

Free Access

The essentials,
on the house.

A curated library of beginner and intermediate notes you can access right now — no signup, no friction.

  • Introductory walkthroughs on core concepts
  • Tool overviews: Nmap, Burp Suite, Metasploit & more
  • Selected HTB writeup summaries
  • Foundational blue team methodology notes
  • YouTube companion write-ups
Start Reading Free
Premium

The full
practitioner playbook.

Every note, every cheat sheet, every methodology breakdown — structured the way a senior analyst actually thinks.

  • Full OSCP, CPTS, OSWE, HTB CDSA prep DISCOUNTS
  • Complete HTB machine writeups (Guardian, Expressway & more)
  • AI Red Teaming tooling comparison notes
  • SOC analyst learning roadmaps & playbooks
  • Threat intelligence methodology guides
  • Malware analysis case studies (NotPetya & more)
  • New content added continuously
Become a Member →

Coverage

What you'll actually use.

Notes built around real engagements, real exam objectives, and real SOC workflows — not a rehash of vendor documentation.

#Penetration TestingOSCP · CPTS · HTB
#Web App SecurityOSWE · Bug Bounty
#SOC & Blue TeamCDSA · SIEM · IR
#Threat IntelligenceTAXII · YARA · MITRE
#Malware AnalysisReverse Engineering
#AI Red TeamingGarak · PyRIT · LLM Sec
#Network SecurityActive Directory · Pivoting
#Tooling & AutomationScripts · Integrations

Cert Coverage

OSCP CPTS OSWE HTB CDSA CEH CompTIA Sec+ eJPT

The author

Motasem Hamdan

I'm a cybersecurity practitioner, technical writer, and content creator who got tired of resources that treat readers like beginners forever.

My notes are built the way I wish someone had built them when I was grinding through certs and CTFs — methodology-first, practitioner-grade, and structured for how analysts actually think on the job.

Over 62,000 people on YouTube follow along. Thousands more read on the site every month. These aren't notes for passing an exam and forgetting everything — they're references you'll keep coming back to.

YouTube Channel @MotasemHamdan · 62K+ subscribers Main Site motasem-notes.net Store shop.motasem-notes.net
motasem_notes — practitioner.sh
whoami
motasem_hamdan — cybersec_practitioner

cat expertise.txt
offensive_security: advanced
blue_team_soc:      advanced
threat_intel:       advanced
technical_writing:  practitioner-grade

ls content/
htb_writeups/  cert_cheatsheets/
ai_red_team/   soc_methodology/
threat_intel/  malware_analysis/

cat philosophy.txt
"teach how to think,
 not just what to type."

_

Membership

One subscription.
Everything unlocked.

Skip the hours lost searching fragmented resources. One membership gives you the full library, updated continuously as the threat landscape evolves.

Free $0 forever
  • Foundational notes library
  • Selected HTB summaries
  • YouTube companion write-ups
  • Tool overview guides
Start Reading
Most Popular Premium Member $15 / month · cancel anytime
  • Full notes library (100+ resources)
  • Cert prep DISCOUNTS: OSCP, CPTS, OSWE, CDSA
  • Complete HTB machine writeups
  • SOC analyst methodology playbooks
  • AI Red Teaming notes
  • Threat intelligence guides
  • New content every week
  • Priority access to new releases
Become a Member →
Store : One-Time Pay What You Want
  • Buy individual cheat sheets
  • Downloadable PDFs & guides
  • No recurring commitment
  • Yours to keep permanently
Browse Store

FAQ

Good questions.


The free tier has solid foundational content. Premium notes are written for intermediate-to-advanced practitioners — they assume you know the basics and want to go deeper. If you're grinding toward OSCP or working in a SOC, you'll feel right at home.
Continuously. New walkthroughs, methodology updates, and cheat sheets drop regularly — aligned with new HTB machines, cert updates, and emerging threat topics. As a member, you get access to everything as it lands.
Yes, absolutely. Membership is managed through Buy Me a Coffee — you can cancel any time directly from your account. No long-term lock-in, no awkward cancellation flows.
The membership gives you ongoing access to the full library for a monthly fee. The store lets you buy individual resources once and own them permanently — good if you just need one specific cert pack.
Definitely. Head to @MotasemHamdan on YouTube — over 62K subscribers and a large back-catalogue of walkthroughs, tool demos, and methodology breakdowns. Best way to see if the teaching style clicks for you before committing to anything.
motasem-notes.net Practitioner-grade cybersecurity notes & resources.
Site Store YouTube Membership