Beginning of 2022 I had two goals in terms of getting certifications. Get the eWPT and the eCPPT. I can happily say I have earned the eWPT and will be working towards the eCPPT later this year.
This will be a post describing my thoughts on the INE study material, thoughts on the eLearn Security eWPT exam, how I studied for the exam, and what advice I have for those looking to take the eWPT.
For those that don’t know, the eWPT is a certification offered by eLearn Security and study materials are provided by INE to prepare yourself to take and pass the exam. You have seven days with the lab to hack and seven days to write the report. The report you submit is what is graded and determines if you pass. This is not a CTF style exam. First tip I will give is to start your report and work on it while taking notes and doing the lab work.
At the beginning of the year I was really excited to take this exam. I felt INE had great materials to learn from, although they are a bit dated. The study material on Flash is worthless in 2022. You can skip that part and I would not be surprised if it was removed this year.
I felt INE did a good job covering XSS, SQLi, information gathering, session security, file upload attacks, CMS attacks, and noSQL databases in the slides and videos.
I will cover my opinions about the transition of the labs in my study material section.
After a few weeks of working on study materials I felt ready for the exam, I picked the first Friday evening in February and started the exam. Getting it up and ready took a few minutes of tinkering with the VPN and reading the Letter of Engagement. The Letter of Engagement is pretty straight forward, but very simple and not very professional looking. It lacks details. Just make sure you read it and understand it as it states a pretty important factor that needs to be done in order to pass, although it is not enough alone to pass.
The exam was pretty fun to say the least. It is a professional looking web application and something I would see in the real world. It has vulnerabilities and your job is to find them, report them and provide remediation’s. Just like on a real engagement.
After a few days into the exam, I felt I had everything needed to create my report. I wish INE would have a section in each course to talk about report writing. I feel report writing is being overlooked and for an exam that requires a report to pass, it would help to include something for those that have never written a penetration testing report.
The study material I used to prepare myself were the Web Application Penetration Testing videos, PowerPoint slides, and labs offered by INE. An annoying issue on the INE platform was while working on the labs in the month of January, INE decided to update the Web Application Penetration Testing labs from their custom built labs to offering DVWA and Mutillidae hosted labs.
While I am a fan of the ability to click a button and have an ready to learn environment and have hands on practice, I was enjoying the labs (that worked) that were offered by INE and I’m a bit disappointed with the Web Penetration offerings now.
I am disappointed that the custom built labs for the eWPT have become free and open-source labs anyone could download from the internet and setup on their own machine. I feel like I wasted $500 and I hope the eCPPT will help me feel not so ripped off.
I also used The Web Security Academy from PortSwigger to get more hands on practice. Honestly if you only cared about getting the eWPT and wanted to save money, you could easily get the materials you need to pass the exam with the WebSecurity Academy from PortSwigger. They offer amazing labs and learning material that in a few cases are better than what INE offer. I find it funny that PortSwigger Labs are free, but a much better value than INE labs that cost $500 (when on sale) to access.
Other than these two sources I did not use anything else to prepare myself. The INE Web Application Penetration Testing course shows everything you need to know to pass the eWPT. I feel PortSwigger Academy is a great resource to also prepare yourself, but it’s not required to pass.
Final Review and Advice
My final thoughts about the eWPT exam are: I feel it is a good web penetration testing exam. It is fun and I am proud of my accomplishment in earning my certification. I did learn a few things while taking the exam.
My critiques are: the Letter of Engagement needs more detail. I feel it’s a bit too simple and vague to be passed off as a professional letter of engagement.
The labs from INE are bad. I cannot sugar coat this. I feel ripped off that I paid money for open-source labs. When I first started off with INE, they had great labs that you needed to access via a VPN and they were better than DVWA and Mutillidae. INE, please go back to having quality labs you built to prepare students to pass an exam.
The good parts are the exam is fun. It really is a great feeling when you find an exploit in the exam. A few of them really make you work for them.
My last bits of advice. When I do web penetration test I use two main tools. Burp Suite and SQLMap. These are my go to’s and I had them open for the entire exam. They can do almost all of the work if you know how to use them correctly.
SQLMap will save you time and headaches. BurpSuite Repeater is also important. Everyone has different tools, but all I needed to pass was a good knowledge on how to use these effectively. (If you prefer ZAP, go for it. Burp is just my go to. Proxy tool)