eLearnSecurity Web Application Penetration Tester (eWPT) Review

PREFACE

I have always liked eLearnSecurity courses/exams and have never had stability or support issues with any previous exam attempts. However, the lab “updates” performed by parent company INE earlier this year, began what would become a continuous breakage of both course labs and exam scenarios. I hadn’t experienced any of these issues until this exam. I had a really frustrating time with multiple broken exam scenarios and delayed response times from support that required having to create multiple eLearnSecurity/Caendra accounts, disabling previous broken exam scenarios and adding new attempts. I have a couple more exams that I would like to attempt before my INE subscription expires in mid-2023 and then I will likely not be renewing. I’m not quite sure what INE’s end goal is, but it’s sad to see eLearnSecurity going downhill the way it has been.

DISCLAIMER

I will NOT be giving away any exam spoilers or answers here. Feel free to contact me with questions, however, I am not willing to discuss any exam specifics or give any overt hints.

THE COURSE

The accompanying course to the eLearnSecurity Web Application Penetration Tester (eWPT) exam is the Web Application Penetration Testing (WAPT) course, which is accessible with an INE subscription. The exam voucher itself will run you $400. For this particular exam, the course really does cover everything you need to pass, however, it can be a bit challenging if you have not fully grasped the material and what to look for.

The material is a bit dated now, but it does seem to do a good job at covering foundational and relevant web app pentesting concepts, such as HTTP requests/responses, SQL injection, XSS, SOAP services, etc. There are a few course modules that you can skip entirely, namely the Flash security module.

I took this course before INE decided to overhaul all of the course labs and I must say that the original eLearnSecurity labs were far superior to the ones that the course currently provides. The original labs provided students with individual lab instances accessible via VPN. The new labs are brower-based and utilize open source vulnerable web apps like bwapp and WebGoat, that frankly you can build on your own.

If you take good notes of the course material, you should have no problem passing this exam. For this exam, I took notes in cherrytree. I have since switched to Obsidian for my note-taking (take a look at my blog post here).

EXAM PROCESS

There is no need to schedule this exam. You can log into the members area and start the exam at a time that is best for you. The exam is not remotely proctored and therefore does not require you to pre-schedule an exact start time. Once you begin, you are given 7 days in the exam environment to complete the technical portion of the exam. Once you finish (or the environment expires), you are given an additional 7 days to write and submit your penetration testing report for review (14 days total). Once you submit your report, receiving your results can take up to 30 days (this can vary greatly).

THE EXAM

When you start your exam, you are given a letter of engagement. This letter details what’s in scope (i.e. domains, subdomains, IP addresses) for you to test. It also informs you of a necessary but not sufficient task that you must accomplish to pass this exam. There are multiple ways to accomplish this task, but you must make sure to do it and document is very clearly in your report. In simple terms, you are given a web app and you must test it (within the boundaries stated) for any and all vulnerabilities you can find and report them. The total amount of vulnerabilites is unknown and I am honestly not sure exactly what the metrics are for passing this exam.

The initial reconnaissance and enumeration for this exam will determine if you are successful, so make sure that you do not skimp out on this. I got stuck for a bit at the beginning of this exam, but once I started poking around and seeing some patterns, things started to fall into place. This isn’t an exam that I can review with a day by day breakdown like I did with my eCPPT review, but all in all, I found 22 vulnerabilities and submitted a 71 page report. It took about a day to receive my results.

OVERALL THOUGHTS

I thought this exam was fun and somewhat challenging. It’s a great practical intro into the world of web app pentesting and even though some of the material is dated, some of the concepts are still relevant and applicable. Web app is not my strongest suit and I can imagine that if you are not into web app at all and don’t get a grasp of the material, you may find this exam difficult.

EXAM TIPS

Easier said than done, but do not overthink and do not let the stress get the best of you. Make sure to eat well, stay hydrated and get adequate amounts of sleep and breaks.

Be sure to take good notes and lots of screenshots. I used CherryTree to take notes and Flameshot to take screenshots. There are a lot of note-taking options out there, so play around with some of them and see what works best for you.

Definitely do not skimp out on the reconnaissance and enumeration phase. This part is imperative to your success.

Burpsuite and/or ZAP will be your best friend during this exam. Intercept and inject any and all parameters!

Remember to try multiple tools that perform similar functions. Some tools find things that others don’t.

Make sure you have a good grasp of concepts, in particular SQL injection, subdomain enumeration, XSS, password cracking, unrestricted file uploads.

Make sure you have a good grasp of the tools reviewed in the course: burpsuite, sqlmap, dirbuster, etc.

Make sure you know how to use sqlmap’s request injection command in particular. It will definitely come in handy:

sqlmap -r request.txt

Focus on the report writing. It is an important part of the exam, so be sure that it is professional grade and documents what you performed in detail.

Most importantly, do not give up. It’s easy to feel defeated and discouraged if you fail, but do your best and remember that you have a free retake and hopefully a useful hint from the exam reviewer.