Post

How I Strengthened My Cybersecurity Toolkit by Completing the Hack The Box Web Penetration Tester Pathway

Posted
By Tayven
4 min read
How I Strengthened My Cybersecurity Toolkit by Completing the Hack The Box Web Penetration Tester Pathway

HTB Achievement Badge

My achievement badge earned for completing the Hack The Box Web Penetration Tester Pathway.

As a cybersecurity professional, I’ve always believed that to defend systems effectively, you need to understand how they can be broken. That belief is what led me to pursue the Hack The Box Web Penetration Tester Pathway. My goal wasn’t just to learn new tools, but to expand my knowledge on the offensive side of cybersecurity so I could strengthen my overall skill set.

One of the key reasons this course appealed to me is simple: if you can prove a vulnerability exists and demonstrate how it can be exploited, you can build a strong, priority-driven business case for fixing it. That ability to translate technical findings into actionable remediation is critical for both security and business outcomes.

Skills and Tools Gained

The course elevated my knowledge across a wide range of areas, including:

  • Burp Suite & OWASP ZAP - mastering interception, fuzzing, and workflow testing
  • OSINT & Reconnaissance - building a complete picture of the attack surface
  • Core vulnerabilities - XSS, SQL injection, authentication flaws, and fuzzing techniques
  • Toolkits - not just learning individual tools, but understanding how to discover, evaluate, and integrate them into a penetration testing workflow

What stood out most was realising that penetration testing isn’t about throwing every tool at a target-it’s about process.

Web Pentesting: From Chaos to Process

As I progressed, I built a structured flow that turned what initially felt chaotic into a repeatable methodology:

  1. Recon & Mapping
    • Enumerate domains, subdomains, endpoints, and technologies
    • Build a clear picture of the attack surface
  2. Identify Entry Points
    • Logins, forms, parameters, file uploads, APIs
    • Flag anything that processes user input
  3. Test Core Vulnerability Classes
    • Authentication/session handling flaws
    • Injection points (SQLi, XSS, command injection, file upload)
    • Access control issues
  4. Drill Down with Toolkits
    • sqlmap for SQLi
    • Burp for fuzzing and workflow abuse
    • Custom payloads for XSS or command injection
  5. Expand to Logic & Modern Features
    • Workflow bypasses, race conditions
    • APIs, misconfigurations etc.
  6. Server-Side & Infrastructure
    • SSRF, directory traversal, outdated software, misconfigured headers
  7. Evidence & Reporting
    • Capture proof of concept
    • Map findings to the OWASP Top 10 or compliance frameworks
    • Provide remediation guidance

This process gave me a structured way to approach testing-one that I can now apply in both professional engagements and future studies.

The Power of Documentation

One of the most valuable lessons wasn’t just technical, it was about discipline. Good documentation is essential. I made a deliberate effort to:

  • Record every command I used
  • Capture screenshots of both successful and failed attempts
  • Document techniques and workflows in detail

This practice means I can revisit and refine my skills at any time. It also ensures that my work is reproducible, reference-friendly, and useful for future projects or audits.

The tool I used for documentation was OneNote. Overall, I’m happy with how it supports my workflow, but as a Copilot user I’m hopeful that Microsoft will continue to expand its capabilities. Particularly around searching and referencing notes more efficiently. Recently, Microsoft introduced Copilot Notebooks, which I’ve started exploring, and I’m interested to see how they can enhance the way I organise and review my documentation.

Reflections on the Course Length and Certification

While I gained a huge amount from the Hack The Box Web Penetration Tester pathway, one aspect I didn’t enjoy as much was the length and sheer volume of content. It took a significant amount of time to work through, and while that depth is valuable, it also made the journey quite demanding.

Because of the course length, if I decide to pursue the certification in the future, I know I’ll need to go back and revisit and practice each topic in detail. That will take additional time and effort, and depending on my professional roadmap, I may or may not take that plunge.

Another factor for me is the exam format itself. The certification exam runs for seven days, which is designed to simulate the length and documentation requirements of a real penetration test. While I understand the reasoning, personally I find that a challenging amount of time to set aside for an exam.

At this stage, I’m satisfied with having completed the course itself. The skills, processes, and documentation habits I developed are already valuable additions to my toolkit. For now, I’ll continue along my professional roadmap, which I’ll outline in another post soon.

Looking Forward

Completing this course has reinforced my belief that offensive knowledge makes you a stronger defender. By understanding attacker processes, I can better anticipate threats, communicate effectively with red teamers, and build stronger cases for remediation within organisations.

For me, this wasn’t just about learning tools, it was about building a mindset and methodology that will continue to grow with my career. The documentation I created, the workflows I refined, and the attacker’s perspective I gained are now part of my toolkit as I continue my cybersecurity journey.

training, offensive-security, professional-growth
cybersecurity hackthebox web-pentesting skills-development toolkit
This post is licensed under CC BY 4.0 by the author.