[Review] CWL Web Red Team Analyst (WEB-RTA) Exam
Overview
The CWL Web Red Team Analyst (WEB-RTA) exam is a practical web security assessment involving two vulnerable web applications. The exam focuses on identifying and chaining multiple web vulnerabilities to achieve full compromise. It is fully hands-on and requires manual testing rather than relying on automated scanners.
Vulnerabilities Covered
The WEB-RTA exam covers the following web vulnerabilities and attack concepts on training Labs:
- Reconnise
- SQL Injection (SQLi)
- XML External Entity (XXE)
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object Reference (IDOR)
- Server-Side Template Injection (SSTI)
- Cross-Site Scripting (XSS)
- Authentication Bypass
- Authorization Bypass
- JWT Misconfiguration / Token Manipulation
- OAuth Misconfiguration (Scope Abuse)
- Weak Access Control
- WAF Bypass Techniques
- OTP Logic Flaw / Brute Force Weakness
- Internal Service Exposure
- Privilege Escalation
- Multi-step Attack Chaining
Summary Flow
→ JWT Manipulation
→ SQLi / XXE Discovery
→ Credential Extraction
→ OAuth Scope Abuse
Toolkit Used
- Burp Suite (Proxy, Repeater, Intruder)
- FFUF (for directory discovery)
- jwt.io (for token analysis)
- CyberChef (for decoding and data transformation)
- Manual Logic (Understanding the OAuth 2.0 Flow was more powerful than any script)
Final
WEB-RTA is a structured, practical exam that tests real web exploitation skills. It requires solid fundamentals, patience, and the ability to connect multiple weaknesses into a single attack path.
It is suitable for learners who already understand core web vulnerabilities and want hands-on experience in chaining attacks across applications.

