eWPT practice,
one technique at a time.
Make web exploitation a reflex. The eWPT is a practical web-application penetration test against a realistic target, reported like a real engagement. PwnKata drills every primitive it leans on — injection, inclusion, upload-to-shell, SSRF, and access-control flaws — as repeatable reps on live targets, so you walk in with the workflow already in your fingers.
The eWPT skills, as drillable reps.
Each exam area maps to a set of single-technique drills you can grind until recognition is automatic.
Recon & content discovery
Web Exploitation →Map the app and its hidden surface before you touch a single payload.
Web Content Discovery
Web Content Discovery distilled into repeatable single-technique reps on isolated targets.
easyWeb Proxy Request Tampering
Web Proxy Request Tampering distilled into repeatable single-technique reps on isolated targets.
easyPassive Recon Simulation
Passive Recon Simulation distilled into repeatable single-technique reps on isolated targets.
easyInjection attacks
Web Exploitation →SQL injection and OS command injection — the highest-impact web foothold sources.
SQL Injection: Auth Bypass
Drill authentication-bypass SQL injection by matching the payload to the query context.
easySQL Injection UNION Extraction
When an injectable query reflects its results, UNION SELECT turns it into a read over the whole database. Drill the column-count-to-extraction workflow.
mediumOS Command Injection
Find where user input reaches a shell, then pick a payload form that survives the filter and response style.
mediumFile & inclusion attacks
Web Exploitation →Read the host, then turn a read into code execution.
Local File Inclusion
A page that includes a file by user-controlled name is a window into the whole host. Drill turning that read into proof — and toward code execution.
mediumDirectory Traversal
A file parameter that doesn't constrain the path lets you walk the filesystem. Drill traversing out and reading files you were never meant to see.
easyFile Upload to Web Shell
An upload that doesn't validate file type or content is remote code execution waiting to happen. Drill bypassing the filter and landing a web shell.
mediumServer-side attacks
Web Exploitation →Make the server fetch, render, or parse something it shouldn't.
SSRF via URL Parameter
Make the server fetch what it shouldn't. Internal targets are simulated safely inside the drill.
mediumServer-Side Template Injection
A template that renders user input is a path to code execution. Drill detecting the engine and turning a math expression into a shell.
mediumXML External Entity Injection
An XML parser that resolves external entities will read local files for you. Drill defining the entity and pulling the data back.
mediumClient-side & access control
Web Exploitation →Cross-site scripting and broken authorization — the flaws that break trust boundaries.
Reflected XSS
User input echoed into the page without escaping runs as code in the browser. Drill finding the unescaped reflection and firing a payload.
easyInsecure Direct Object Reference
When the server trusts an ID in your request, changing it reaches data that isn't yours. Drill finding and proving that broken access control.
easyJWT and Session Weaknesses
JWT and Session Weaknesses distilled into repeatable single-technique reps on isolated targets.
mediumKnow you're ready — don't guess.
When the techniques feel automatic, run an Exam Sprint: a timed battery of unseen, blind items weighted to the eWPT blueprint. It returns a readiness report by skill area, so you find your weak spot here instead of in the exam.
- Blind items — identify the weakness yourself, like the real thing
- Solved-vs-attempted by skill area, with time outliers flagged
- A readiness verdict you can actually act on
Start your eWPT reps
Free to start — live isolated targets, a fresh variant every rep.