After two years of on-and-off preparation for this exam, I finally did it!
Let’s get into it, shall we?
“The Burp Suite Certified Practitioner (BSCP) is an official certification for web security professionals, from the makers of Burp Suite. Becoming a Burp Suite Certified Practitioner demonstrates a deep knowledge of web security vulnerabilities, the correct mindset to exploit them, and of course, the Burp Suite skills needed to carry this out.”
I initially bought this exam in 2021 when PortSwigger were running their Black Friday Sale. I really wanted that swag back then. Being the first 100 people who passed and all. I was thinking it can’t be that hard so let’s get it before the year of 2021 finishes and give myself an early Christmas gift. Well….that was before I started reading reviews. People were failing two, three, and up to seven times! I was thinking they were probably just people new to the field but turns out I was wrong! These were recognized and certified security personnel in the industry with years of experience. From the OSCP to the OSWE brains out there, you name it! I got cold feet. Yup! I could not do it, I told myself I will just prepare on and off until I think I am ready. I think my only regret was not buying multiple vouchers, as I saw a lot of people do at that Black Friday $9 price.
Let us fast forward to June 2023. I did some prep on and off, this was a combination of using PortSwigger and INE training resources. I was also prepping for the eWPTXv2 certification so the INE training resources came in clutch. I did not spend as much time on PortSwigger materials as I saw many of them overlapped with some of the INE material. What I did do was touch on topics I did not consider myself strong in, such as HTTP Request Smuggling. My goal was to pass eWPTXv2 and then go for the BSCP. I think I would be somewhat ready in validating my skills thus far, right? Good plan? At least I thought so.
1st Attempt at the Exam
The day had arrived and I decided to put my $9 voucher finally to use. I read many blogs that said be prepared to fail the first attempt but I did not want to have that in my head. Wanted to be one of the few that passed on the first attempt. I was humbled soon enough. Before being let into the exam you have to go through the automated proctoring service by a company called Examity. It was a simple enough process. Once you are done you are given access to the exam. You are given two web applications with the same path. Access to a low-privilege user -> Elevate to Administrator -> Use the admin interface to read the contents of /home/carlos/secret from the server’s filesystem. I was on the first web application, super excited, ready to dive in but I could not find anything in the first 2 hours. I moved on to the second application and identified a path to achieve the objective. I wish it was as easy as I just typed it but it was not by any means. I had determined and known for sure this is the path I needed to take but my payloads just were not working with me. I was on this for a while. I have this awful habit of staying on one thing until it works and this exam is the worse place to make that mistake. Why? It is all about speed and quick thinking. There is no 24-hour leeway or additional days to troubleshoot your payloads or exploits. Only four hours. The time went by and I had about an hour left. Now that was when my payloads started working. At that point, I accepted I failed the first attempt miserably and had just begun to see how much I could do and get a better feel of the exam. Once the timer stopped I got the email almost immediately that I had failed.
2nd Attempt at the Exam
I bought my second attempt immediately after my first attempt and decided I would take a crack at it again the following morning at the same time. Did a little more prep and woke up the next day ready once more.
Same process, Examity then access to the exam. Would you believe that my eWPTX experience seemed to have come into play? Two out of the six tasks were vulnerabilities I saw from my eWPTX exam.
You could say I got lucky a bit. I got quite the jump start. On the first web application, I was able to exploit a vulnerability that escalated me straight to the Administrator. That helped me in having the peace of mind of having more time to work on future potential payloads. I read the secrets of the carlos file and solved the first web application. This is a good time to say that you should be comfortable with Burp Collaborator. You will need this to identify and or detect hidden vulnerabilities.
Now on to the second application. This did not take as much time as I used a third-party tool to assist once I saw the vulnerability. PortSwigger allows you to do that so no worries about cheating. Once I got through with that I saw the path to reading the secret file of the second application and with that, I was done. If you are successful you will get a message that you completed the technical requirements and you will be asked to upload your project file:
I did face issues with this as I uploaded my file and nothing happened, it just stayed on the above screen. If you should face that issue, send an email to PortSwigger. They will set up a shared drive where you can drop your Project file. It took three business days for me to get my results as they had to do their verification. This is to maintain the integrity of the certification and to combat cheating etc. They outline this on their page.
Tips for the exam
The exam was both frustrating and fun if I am honest. It has a lot to do with the time. You are working on a payload and if it does not work then you end up glancing at the remaining time at every opportunity you get. All of that will introduce panic, particularly if you have problems with anxiety. The exam is possible to be passed on the first try. The key is being fast and efficient. Throw all your previous experience with certifications. Whether it be from Offsec, eLearnSecurity, just forget all about it. Adjust your methodology for speed and the utmost efficiency. With that said here are some additional bullet points:
- Once you are in the exam, get a scan running, whether it be passive or active. That helped me on the exam and picked up the vulnerabilities that lead to compromise. Try to focus on particular areas if possible. PortSwigger has a good write-up on this, here.
- Take note of the PortSwigger Labs and the walkthroughs. For some of the exercises, keep copies of the payload solutions, keep an inventory of them, and categorize them accordingly to help you in the exam. This helps you not search all over and eat away at the already short time you have. They will only require minor tweaks if you find similar vulnerabilities in the exam.
- Take the practice exam to get familiar with the exam format.
- Consider doing a Web Application Exam that can give you a real test before it all. For me it was eWPTXv2.
- I mentioned third-party tools before. Get familiar with SQLMap and ysoserial. Also, consider adding some of the Burp extensions. Two of the main ones are Java Deserialization Scanner and Param Miner
- Focus on vulnerabilities relevant to each stage. I thought I was a genius thinking of this when preparing but it was already covered in another blog I saw by Micah Van Deusen:
Compared to other certifications, it is relatively inexpensive, making it a worthwhile addition to your skill set. The free labs provided by PortSwigger create an accessible learning environment, allowing individuals to prepare for future challenges. Since there are no limitations on the tools used, the exam enables you to explore various possibilities and enhances your critical thinking skills in real-world penetration tests.
I recommend this certification to any Penetration Tester that wants to flex their Web Application Pentesting skills or just anyone curious in seeing if they can conquer the exam. Thankful it did not take me too many attempts to finish but I am glad I have it now. Take your time to prep, don’t rush prep because you want this certification. Go through the motions slowly and attack it when you are ready. If you are a fan of rating exams out of 10, I would give it a 9/10.
Oh if you want to verify my certificate, you can do so here. If you cannot be bothered to click. I got you, it is below:
What’s next for me? Quite a lot actually. Offsec, Terraform, CARTP, and CCSP are all calling my name at the same time. So much to learn, so little time! Hoping to have and be competent in them all before the year finishes! While I’m doing all that, I’ll try to blog some DevSecOps-related content in the future. Cloud is my first love at the end of the day 🙂