My eWPT/WAPT Experience

I have successfully taken eLearnSecurity’s Web Application Penetration Testing (WAPT) course and passed eLearnSecurity’s Web Application Penetration Tester (eWPT) certification. These are my thoughts on the course and certification experience.

Background

After completing my OSCP a few months ago and taking a little while off from studying, I decided it was time to begin a new course / certification. While I felt I had obtained decent exposure to external style penetration testing with eJPT, HTB, and OSCP, I knew I lacked experience with web application testing. As mentioned, I had previously taken and completed the PTS/eJPT course with eLearnSecurity and I knew they had a reputation of producing quality content.

Prior to starting the course my only experience with web app related pentesting was from the brief sections on XSS and SQli covered during PWK. Excited to learn more, I registered for WAPT/eWPT on October 18th.

Course Materials & Labs

Overall, I found the WAPT course materials to be very thorough and informative. eLearnSecurity provides students with online slides and videos that they may review at their own pace. Depending on your course plan, you may also download the slides as a PDF to review offline. The content covered in WAPT ranges from common web app attacks such as XSS to some more obscure things involving Flash or WSDL. Each chapter also has 1-3 videos throughout it where the user can watch a demo of the exploits or methods just discussed. One thing that stands out to me about the course materials is eLearn does not just cover the how they also cover the why, taking the time to explain what is happening behind the scenes with each exploit.

Having done the PTS/eJPT I generally knew what to expect from the labs. Rather than an open cyber range like PWK, WAPT’s Hera Labs are targeted for each chapter and have set objectives for the student to complete. Each chapter’s labs are divided into “video”, “lab”, and “challenge,” these correspond to crawl, walk, run in difficulty. The video section of the labs replicates the environments from any videos in that chapter, allowing the student to follow along with the videos if they so choose. The lab section of the labs gives the student set objectives to achieve and recommends the tools or techniques needed to do so. Additionally, solutions are available to these lab objectives if the student gets stuck or needs a nudge. Finally, the challenges are harder objectives that will require some self-study outside of the course materials. They are meant to make the student apply the skills learned in unfamiliar or unique ways. The solutions to lab challenges are not provided but if needed the student can search for hints on the student forums.

The Exam

If you are unfamiliar, the exam is comprised of 7 days of VPN access to conduct a thorough pentest, followed by 7 more days to write a report including an executive summary, a vulnerability overview, and remediation recommendations. The entire first chapter of the WAPT materials covers how to create a detailed and professional report, I found this extraordinarily helpful. Unlike the OSCP, there are not many report templates available, so doing the eWPT report really forces the student to craft something original. I found writing the report to be almost as fun as the exam itself.

A required objective for the exam is that you find a way to compromise the admin account in order to gain access to the administration panel. This provided a fun twist on the exam as it was not just finding as many vulnerabilities as possible, but instead the student had to analyze which vulnerabilities could be chained together to achieve this end state. I spent my first day in the exam getting a feel for the web app, discovering functionality, and testing for vulnerabilities. My second day I sought out potential paths to obtain the necessary objective of gaining admin. Finally, on the third day I was able to gain access to the administrator area with 2 different methods. In the end, I identified 19 vulnerabilities or misconfigurations and produced a 38-page report. However, the most surprising part was that somehow eLearn’s examiners were able to review and grade my 38-page report in just 4 minutes. That’s right… from hitting “submit” to passing it took 4 minutes.

While I enjoyed the course, I do have 1 major complaint with the exam that future eWPT/WAPT students should keep in mind. Since the exam requires students to visit domains and subdomains, students must make an addition to their /etc/resolv.conf file and add an eLearnSecurity nameserver. However, I found that there was a spam site with the same URL as the target company in the exam, and to avoid being redirect to this spam site and spam subdomains I had to clear out all other nameserver entries in /etc/resolv.conf. This means that if I wanted to be able to reach the target website during my exam, I had to cut off all other internet access. Perhaps in the future eLearn can change the URL of the target company so there is no overlap with an existing spam site.