Passing my eWPT certification
eLearnSecurity Web Application Penetration Tester or more commonly known as eWPT or eWAPT is a practical certification of eLearnSecurity this course focus more on Web Application. Although some of you might have taken the eCPPT and it has a Web Application topic, this course goes in depth in the Web Application vulnerabilities.
If you have subscription in INE it is enough to pass and apply what you learn in the exam, I think I always say it in all my write ups, but I have added additional resources for my learning. I always like to think about better to be over-prepared than to be under-prepared.
There are 15 topics in the eWPT course:
- Penetration Testing Process
- Introduction
- Information Gathering
- Cross Site Scripting
- SQL injections
- Authentication and Authorization
- Session Security
- Flash
- HTML5
- File and Resources Attacks
- Other Attacks
- Web Services
- XPATH
- Pentesting — Content Management Systems
- Pentesting — NoSQL Databases
Again, solid content from eLearnSecurity topics are well written while some might have typo errors, still it is a great material that they produce. For the lab materials, it recently got updated, they now have a web instances for each topic and it really is pretty nice, I don’t need to open my Virtualbox and load my Kali . I just need to computer open my browser login to INE and load the machine from a topic inside my browser. My take on this however is there labs composed most of DVWA, bWAPP and OWASP Mutillidae which you can download on your own, if you don’t have a budget for the INE subscription.
My Study Tips
For the INE course, I focused more on the topics of Cross Site Scripting up to Pentesting-CMS, except for Flash. I ran through all the slides on 1 run, take a good notes on my Microsoft OneNote, and about 2 or 3 run to all the labs.
Then I simultaneously use other resources which you can do and I recommend it because it will very much help you to upskill your techniques.
PortSwigger — hands down to them, they greatly explain the topic, how to exploit and how to prevent or mitigate the vulnerabilities, labs also is the beast! They have community solutions for each labs and were very helpful. On top of that it is a FREE registration, you don’t need monthly subscription.
Link : https://portswigger.net/users
That is entirely how I prepared for my exam, but I still have few resources that I did which I go through 2 days before my exam, I read it from one of the write ups.
TryHackme — Nahamstore https://tryhackme.com/room/nahamstore, I thank this room from the bottom of my heart, it gives me more knowledge on how to find Web vulnerabilities, don’t be afraid to use a write up, of course if you use a write up try to understand the hows and whys as well.
I found this resource from a write up, the SOAP Web Services is included here, which is not included in the Portswigger.
https://wooly6bear.files.wordpress.com/2016/01/bwapp-tutorial.pdf
Tools Used
Browser extension:
FoxyProxy — very great to have, you don’t need to change your proxy settings.
Wappalyzer- this automatically check the browser’s web server, language used, etc.
Kali tools:
nmap
FFUF
Gobuster / Dirbuster
SQLmap
Burpsuite
Metasploit Framework
Examination Day
This is a 7 days practical pentest and 7 days pentest report. I started mine March 12, 2022, this is the most relaxed exam I ever take, I think because I have past 2 experiences with eCPPT and eCTHP and I really took my time on this exam, because there is no pressure and you can do your chores, work, etc.
So I started March 12 and got the admin rights the 2nd day which is one of the important requirements of the Rules of Engagement. I submitted my report on March 17.
Low and behold, after hours of waiting, they gave me the result.
I failed my exam. YES! My 1st failed exam attempt in a eLS certification, this was a funny moment for me actually, just in time that I failed my exam, I encountered a problem with my exam machine, so I can’t run the exam machine. If you encounter the error below you need to email INE/eLS’s support immediately! I waited it out for one whole day and it didn’t resolved itself. eLS support is very accomodating, they will make you create an account and give a voucher for that account.
So why did I fail? I didn’t follow my guts, the vulnerability is in front of me and I make it complicated, it is just 1 vulnerability and I let it pass me. So if you encounter a similar feeling, follow it. My tip is that if you have a background like me in Web/Software Development use your coding review skills.
So I passed my eLearnSecurity Web Application Penetration Tester yesterday March 19, 2022 the result is just 1 day for me. Really happy with my examination, overall it was really easy for me compared to eCPPT.
I really recommend this for all Penetration Tester/Application Security even for beginners. It is a really fun exam don’t stress out if you finish the exam the last day, or even fail, as long as you learn from it.
Thank you for reading my write-up/review I hope it helps you in your journey!
