Today I got the notification that I had passed the test and obtained my eWPT certification. I thought it would be a good idea to share my thoughts and experience here. The course is obviously centered on Web App pen testing, and covers a nice variety of topics, as can be seen in the course syllabus.
Each module is typically broken up into three categories: the slides, videos, and the lab. I'll go into details about each of them below. What I like about the order of the modules is the flow. They start with the basics, covering the process and the introduction, and ramp up the difficulty sensibly. Each module is just as important as the others. Right from the start in the "Penetration Testing Process" chapter, they cover things that I had never thought of despite doing penetration tests for years.
As I previously mentioned, each module has a set of slides associated with it. They guide you through the subject matter in an intelligent way. Starting with explaining the concept, moving on to the different types of attacks and so on. Something that really stood out to me is that each module contains security best practices or tips on prevention/remediation. This is an important part of a penetration test. Not only explaining what you found, but being able to assist with remediation. The slides give practical (but often simplified) examples of the attacks. Calling the examples simplified is not intended to be a point against the course. Instead, I found the examples to be helpful whether I was familiar with the topic or completely new to it.
Most of the chapters have a few videos to supplement the slides. They are typically around 10-15 minutes. The speaker explains the concepts and exploits efficiently, not wasting your time for the most part. I did feel like they walked through setting up Burp and adding the targets to the scope a few times more than necessary. I can, however, see the argument that this is a very important step, even required for testing. You won't get far in a web app pen test if you don't set up Burp (or some other proxy) correctly. The videos are just a bit dated at the time of writing. Only in the sense that navigating the version of Kali they are running is dissimilar to what I know of today. That said, the meat of the videos is still very relevant. Each video has a full mock web application associated with it. This varies from blog sites to eCommerce sites, they have a good variety of scenarios where the exploits could be found.
Almost every chapter has a lab associated with it with some chapters having more than one. For each lab, you have to download the VPN file, connect, enter username/password and then update your `/etc/resolv.conf` file to include their nameserver. Its a slightly tedious process if you want to come back to more than one lab during a study session. That said, I never had connectivity issues so I only had to do the setup once per lab. Once connected, you browse to what is essentially a menu of labs. Each of the labs are broken down into labs, challenges, and video. The labs are the standard scenario and have the solutions/walkthroughs available at the end of the Lab Guide document. The challenges, however, do not have the solutions. They are meant to really test your understanding of the content. I'll be honest, there were some challenges that I never solved. I'm not sure if that speaks to how difficult they are or how quickly I gave up on some of them. Finally, they have the scenario from the video(s) available if you want to follow along.
One of my favorite parts of this whole course is the exam as it is a full scale penetration test. Practical and hands-on, it will force you to demonstrate an understanding of several of the topics. While not every module makes it in to the exam, I felt that there was a good variety of vulnerabilities. Without going into spoiler territory, some of the exploits were pretty creative making them fun to discover and exploit. To succeed in the exam, it is critical that you have really reviewed all sections of the modules. While they won't hold your hand and give you the answer, the concept needed for exploitation is there. Along those same lines, its worth noting that there aren't any surprises in the exam. Everything is covered in the course material. I appreciate that they really stress the "this is NOT a capture the flag. It is a full penetration test." You are expected to find as many vulnerabilities as you can and write a professional report. They give you a generous 7 days for testing and another 7 for documentation. Side note, just because they break it up that way does not mean you should ignore documentation until day 8. Keep good notes and be sure to grab all the info and screenshots you might need for the report. Another generous offer from the eLearnSecurity team is the free retake you get if you don't pass the exam the first time. They provide you with valuable feedback which helped me get through the final push I needed to pass.
The eLearnSecurity Web Application Penetration Tester course was definitely worth my time (and my company's money). While I was already familiar with some of the topics, I truly feel like I have a much better understanding of web app testing now. Using Toggl, I tracked my studying and exam time, with a grand total of 166 hours overall between January and today. I spent an insane 76.5 hours on the exam, which certainly took over my week. Thankfully, I was able to do some of the studying and exam at work.
I sincerely recommend this course for anyone who wants to learn about web app pen testing. It is priced reasonably, provides great content, and you can walk away with another certification under your belt. Thanks for reading and good luck if I've convinced you to take the course!