eWPT exam Review and Study Guide!

Hey!! So you are thinking of getting eWPT certified?

This blog will briefly give you an idea of what the exam is, what to expect from it, who is it for, how I studied and some useful tips & tricks that helped me during exam. Hopefully this will help you in achieving your goal.

Let’s begin!

About eWPT

The eWPT is the certification exam by eLearnSecurity that assesses an individual’s Web Application Penetration testing skills in a real world environment. INE provides the Web Application Penetration Testing Professional course(WAPT) to tackle the exam.

You can read more about it here .

Who is it for?

The exam covers most of the basics that you need to get into Web App Penetration testing. It is beneficial for Bug Bounty Hunters, Penetration Testers, Security Researchers, CTF-Players as well as Web App Developers.

Prerequisites

Anyone with basic knowledge of programming in JS and HTML can cruise through the course and give the exam.

I myself had no knowledge of JS and only basics of HTML but I was able to learn HTML from here and the only JS I needed was a one liner code. The exam can be passed through multiple ways and only some require a little bit of programming which you can just google. Reading and understanding PHP code will also help although it is not mandatory.

How I prepped for the exam?

I bought the INE’s Cyber Security Pass. With the Cyber Security Pass you can go through all the Security related courses that are provided by INE with unlimited access to the labs so that you can practice as much as you want without any restriction.

So I started the WAPT course and went through all the material(PDFs, Videos and Labs) in 30 days. People can complete it in 15 days as well but I would recommend taking your time and really understand the concepts of each attack and their remediation.

After reading the PDFs and watching Videos, you get to practice what you have learnt through labs. PLEASE GO THROUGH ALL THE LAB EXERCISES AND CHALLENGES ATLEAST 2 TIMES. I used to spend almost 4-6 hours(Excessive!) on most labs, Toying with ideas, Trying new things, which is why it took me an entire month. But labs can be completed fairly quickly as well.

Please Take notes! I didn't took notes at first, but when doing the labs again, I had to go through the entire modules just to lookup something that I forgot. Notes will help you in exam as well.

Learn how to write a good report. As this was my first time writing a report, it took me a lot of time to come up with a good format. You can access Public Pentesting reports to get an idea of what real world reports look like. A good repository of public pentest reports is provided by juliocesarfort which can be accessed from here.

The WAPT course is more than enough for you to pass eWPT exam.

The Exam Overview

You get 7 days to test a web application, find vulnerabilities and satisfy the goals of the exam. The exam covers a large scope, you are required to find vulnerabilities in multiple places and chain them to reach the exam objective. THIS IS NOT A CTF, IT IS A REAL WORLD PENETRATION TEST. What I mean by that is you have to identify as many vulnerabilities as you can, reaching the exam objective is a necessary condition but not enough to actually pass. Although some vectors that you will read in course don’t make it to exam, still the exam does a good job of testing you on most of the OWASP top 10 attack vectors. After the end of the exam you get another 7 days to write a pen test report and upload it to the exam portal.

I found 18 types of vulnerabilities, each type having one or more occurrence and it took me over 12 hours to write my report which after much filtering was 47 pages long.

The exam is definitely challenging and will make you leave your comfort zone, but it is a lot of fun.

Tips & Tricks for the exam:

1. Please don’t get demotivated after finding that some people completed the exam in 1 day while you are taking longer. Take your time with the exam environment and find all the possible vulnerabilities. Most people who complete the exam fast can’t find a lot of vulnerabilities and just submit a bad report. As a pentester, make it your principle that you will find all that you can and will report everything that you found in an organized manner.
2. Use Burp Suite effectively, Inspect every packet, every header for vulnerabilities. You can get 1 month of free trial for Burp Pro from Port Swigger website, Will help you a lot in finding low hanging fruits.
3. Take breaks, it will keep your mind fresh and will help in refocusing.
4. Reset the exam environment if you feel that something should work but is not working. You get 4 daily resets.
5. People have reported that their Lab VPN is not stable but It worked fine for me. So keep an eye out for this.
6. Unofficial INE Discord Server: https://discord.gg/9dvPVVBhgB
7. If you face any problems during your exam, contact the following and you will get a swift response: support@elearnsecurity.com
8. Make a good report. It is the only result that clients get and the only thing that matters the most in an entire Pen Test. You can find a good report format by TheMayor in the above mentioned discord server.
9. Do not take HD Screenshots of your entire screen to add to your report, the report size can not be higher than 10 MB. Only take shots of the relevant area of the screen, this will reduce the size as well as make your report precise. A good screenshot taking software is Greenshot, it lets you capture a specific part of screen and edit it on the go.
10. Usually most people take screenshots while doing the exam but it breaks my flow, so what I do is I use OBS to screen record my entire testing phase and take the screenshots from the recordings in reporting phase.
11. Notes and Google are your best friends. Whenever in doubt, read your notes and google stuff. Google is the bread and butter of every pentester.

A Note from Author:

This is my first attempt at reviewing/blogging anything so I tried to make it as detailed as possible. I am sorry that it turned out to be big blog, I will make sure that my skills at blogging improve. Thank you for taking the time to read it. Have a nice Day!