Finding Vulnerabilities with Burp Suite Intruder and Repeater (Community Edition)

Burp Suite is a set of tools used to perform Web Application Pentesting. In this guide I will show you how to leverage the free (community) edition to help find vulnerabilities in web applications. We will utilize Burp Suites Repeater and Intruder functionality along with word lists from SecLists.

I will use a TryHackMe Free room called Team Room and a room called Brute it to help set up the testing targets. I highly encourage looking into the Burp Suite Academy for labs on Burp Suite as well to get more hands on experience.

I will also be using FoxyProxy to proxy the traffic through. If you are not familiar, Burp Suite needs to have a proxy setup between the browser and target application. FoxyProxy helps make managing the proxy simple, as it can be enabled and disabled through the browser.

Here is a basic setup on how I have FoxyProxy setup and leveraging Burp Suites port 8080.

Using TryHackMe’s Team Room, we can have an environment set up to do testing. With Burp Suite running and Team Room setup via TryHackMe we can get testing.

I will be cheating a bit to get to the fuzzing section of Team. In the /etc/hosts file I will add an entry for dev.team.thm. This will set up the section to perform our first attack.

Navigating to http://dev.team.thm will display a web page. With Burp Suite we can access the Proxy Tab and then the HTTP History Tab and “Add to scope” to ensure only this applications traffic is captured with Burp Suite.

Clicking the Place Holder Link loads a new page with a page parameter in the URL.

Next we can forward this request to Repeater in order to do some analysis. We can then tinker with the page parameter, change the Request to a Post Request, mess with the User-Agent, etc, to see if the application will display any errors or useful information in the Response.

The next step is to use Intruder to fuzz the page parameter to see if it is vulnerable. SecLists offers a variety of fantastic word lists that we can use to Fuzz the parameter. I encourage you to review and look over these word lists and see which ones can help you in a particular moment.

SecLists offers lists for command-injection, SQL Injection, XSS, Local File Inclusion (LFI), passwords, word lists for directory/file brute forcing, extensions, and much more.

Sending the request to Intruder, we can highlight the parameter we want to fuzz. In this case we want to highlight the teamshare.php value. The attack type will be set to Sniper.

Next we will click the Payloads tab. Here we can insert our word list values from our SecLists. Because the parameter appears to be loading in a file, it would be a good guess to try for Local File Inclusion (LFI). We can copy and paste the values of file LFI-Jhaddix.txt into the Payloads Options section. In SecLists this is stored in Fuzzing/LFI.

Burp Suite Community Version will throttle the speed at which the fuzzing is happening, but we will quickly see some results come back from our attack. While Intruder is cycling through the word list we can view Responses that have a vastly different Length to see if anything is interesting pops up. It turns out that the parameter is indeed vulnerable to Local File Inclusion.

The combination of Burp Suite intruder and SecList word lists for LFI allows us to not only to have a POC for /etc/passwd, but other Linux files that were read.

This was a good example of what Intruder and a good word list can do. Let’s take a look at one more example using Intruder to perform brute force password attacks on an administrative login.

Using the TryHackMe room Brute It we can get practice using Burp Suite Intruder to perform a brute force attack. If you are interested in working along, fire up Brute It on TryHackMe and navigate to the /admin page. Here we see a basic login page.

With Burp Suite running and FoxyProxy enabled we can capture a post request by attempting default credentials with admin/admin.

With the parameters setup for the user to be admin and the password to be the target using a Sniper Attack Type we can now load in another word lists with SecLists.

This time we will try the 500-worst-passwords.txt to see if we can find the admin password. This password list if found under /Passwords. Either load in the word list or copy and paste the passwords into the Payloads section. Submit the attack by clicking the attack button and let’s see if we get a hit.

Viewing the results we see one that sticks out with an HTTP Status of 302 and a much different Response size. This is a pretty good sign we got a hit during our brute force attack.

Using the credentials from Intruder we are able to verify the password for the admin was correct and we have successfully authenticated.

This concludes the basic guide for Repeater and Intruder. If you want to get more hands on with Burp I recommend TryHackMe’s Burp Suite Module. Here is the starting basics section. Burp Suite is an incredible suite of tools that can help find vulnerabilities and misconfigurations in a web application.

More hands-on labs can be found on Burp Suite Academy’s site if you want more targeted vulnerabilities to work on, such as SQL Injection or XSS.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Free Resources To Learn Pentesting

TryHackMe
TryHackMe is a online service that offers paid and free rooms. The highlight for TryHackMe is that it offers beginner friendly and advanced rooms for pentesting, malware analysis, digital forensics, and much more related to cyber security. If you are just getting into Cyber Security, this is a great starting point. If you enjoy the free content, consider the monthly service to have access to the paid rooms. I used this as my first Cyber Security Training to help me become a Pentester.

PortSwigger Web Security Academy
PortSwigger Academy is a free online resource for learning beginner and advanced Web Application Exploits. This site offers labs on XSS, SQL Injection, Server Side Request Forgery and so much more. The course is designed around PortSwiggers Burp Suite Program, but labs can be completed without it. PortSwigger is always adding new content to the site. This is a great resource for learning Web Application Pentesting.

API Security University
APISEC University is a website that offers Courses on learning how to hack and pentest against APIs. Corey Ball goes into great detail in discussing how to hack APIs and talking about the OWASP Top 10 for API Security. This course is free and offers great video material that help set up labs and perform the test, then at the end of each section you will be given a quiz and a lab to perform to ensure you are learning the material.

The Cyber Mentor YouTube Channel
The Cyber Mentor has a fantastic YouTube Channel dedicated to Cyber Security. I could make a blog post dedicated to just Cyber Mentor Content. The content on the YouTube playlist I recommend checking out is the twelve hour series on Ethical Hacking. It includes information on networking, basic hacking techniques, python programming, web application hacking, buffer overflows, OISNT, and much more. If you enjoy the free content, you can check out the paid video series on TCM Security Academy and extend your knowledge.

HackTricks
HackTricks is a fantastic website that has great learning material and methodology on pentesting. It is a typical go-to while I am performing a pentest to get a refresher on a tool. This site has a great number of links to resources and other learning material as well. I highly recommend checking out this resource and giving the material a read.

Active Directory Security
Active Directory Security is a website used to post information about Active Directory Security and pentesting. Learn about Mimikatz, Kerberoasting, AD Recon, and more. If you are interested in Active Directory Security and pentesting, this site is a great resource to learn from.

VulnHub
VulnHub is a resource with vulnerable boxes that are meant to provide hands-on practice. The website offers several vulnerable boxes that use Virtualization Software such as Virtualbox or VMWare. I recommend the route of setting up your own virtual environments and testing against it. You can also look into hardening and patches the boxes.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

My Top Ten TryHackMe Rooms

I have been a TryHackMe fanboy for a while and just finished up doing a 500 day streak and have completed 275+ rooms. I wanted to write a blog post describing my personal ten favorite rooms.

No flags or hints on how to complete these rooms on this page. I will discuss at a high level what the room is about and what skills or techniques would be needed to solve it. If you like to go into rooms 100% blind than feel free to skip this blog post.

10. Vulnversity

Vulnversity is a free and beginner friendly TryHackMe Room that is geared towards teaching the basics of Pentesting.

The room includes a video guide by Darkstar and does a fantastic job of explaining the tools used, thought processes, and holds your hand throughout the room. This is great for someone that is looking for their first penetration testing room that wants their hand held from start to finish.

This was one of the first rooms I did when I started TryHackMe and it cemented a number of techniques and tools I still use today. Port scanning, file and directory fuzzing, using reverse shells, and privilege escalation. Often I get asked what a good starting room is for penetration testing. This is the one I recommend.

Tools/Techniques that you could use are

  • Nmap
  • GoBuster
  • Burp
  • Netcat
  • Using Linux to abuse SUID to become root

9. Jason

Who doesn’t love a good horror movie? Jason is a room that is fairly easy, but the technique used to complete the room can be a bit complicated for those new to penetration testing.

It is an easy room if you know what deserialization vulnerabilities are and how to exploit them. If this is something you are not familiar with then here is an OWASP article for you to read if you are interested.

If you want to practice deserialization then this room is for you. It is one of the few rooms that if you are struggling with deserialization I recommend using a guide or walk through to help get you through and learn about the concept.

Great room with fun challenges, great design, and helps in learning a rather daunting technique. Highly recommend checking this out if you are on the hunt to learn more about exploiting deserialization vulnerabilities.

8. Thompson

Thompson has a special place in my heart. I used to manage Apache Tomcat and this room is all about exploiting Tomcat in a fun and real world scenario.

I love when a box has a real world feel to it and Thompson is a scenario that penetration testers will see in the wild and have an opportunity to exploit. Tomcat is deployed with multiple default configurations and files that attackers will use against the target.

From the starting point of the room you get to have a lot of fun fuzzing for files and directories, password spraying, and using Metasploit to exploit Tomcat Manager to get into the system with a reverse shell.

I have seen this similar room used in competitions and it is definitely a room you want to check out.

Tools/Techniques that you could use are

  • Nmap
  • GoBuster
  • Hydra
  • Metasploit
  • Abusing crontab for privilege escalation

7. Linux Agency

This box is 100% a video game box. It is a fun and exciting way to learn more about Linux commands.

The premise is: you start off on mission one. You ssh into the box as mission1 and are given a task to solve that allows you to become mission2 user and you essentially climb a ladder solving a challenge and then becoming a new user to solve another challenge.

The challenges change from different Linux techniques such as outputting data from a file, grepping a flag out of a file that has thousands of lines of data in it, changing file permissions, compiling files to get output and using various programming languages to read files.

Linux Agency is fun. However it is long so be prepared to spend some time on this room, but when it is done you will level up your Linux knowledge.

6. Wreath

Wreath is a large room aimed at teaching pivoting and Command and Control Frameworks. It is a very large room that can eat up a day.

It is highly recommend to take good notes and take it slow. I swear I didn’t plan this but again Dark has created a video guide to help teach and walk users through this if needed. The video guide is forty one videos and as stated earlier this can easily eat a whole day.

That being said it is a “free” room. The catch is it is free if the free user has a seven day streak.

This room goes into great detail on pivoting and what it is and with socat, chisel, and SSH Tunneling / Port Forwarding. The next major section will be Command and Control. If you are not familiar, Command and Control (C2 Frameworks) are applications used to manage remote sessions on a compromised host. Cobalt Strike, Covenant, Metasploit, and Empire are examples of C2 Frameworks. The last major section is AV Evasion.

I suggest this beast of a room because it teaches excellent fundamentals for internal pentesting and how to pivot and use C2 Frameworks. I cannot even remotely begin to explain how cool and amazing this room is. You will gain so much hands on experience and it is free for users with a seven day streak. I would easily pay money to TryHackMe to have access to this room.

5. Buffer Overflow Prep

Before I started TryHackMe, I had some basic Ethical Hacking Knowledge. I knew how to do a lot of the easy rooms and felt comfortable with using tools such as Nmap, Metasploit, GoBuster, Burp, etc. What I didn’t feel comfortable with was Buffer Overflows.

Buffer Overflow Prep by Tib3rius was a God send for me. It taught me how to do buffer overflows and gave me so many attempts at doing them that I got the basics down and felt like I conquered a huge undertaking. Buffer Overflows can be a lot to take in and work on and with Buffer Overflow Prep I was able to overcome the fear and learn to have fun with them.

That is why I recommend Buffer Overflow Prep and why it is one of my favorite TryHackMe rooms. It gave me the tools and knowledge needed to learn how to perform a Buffer Overflow and how to transfer the knowledge to other rooms and exams.

I know someone else out there is afraid to dive into Buffer Overflows and if that someone is you, try this room and watch the video Tib3rius made for this room. Stack Based Buffer Overflow Prep.

4. Linux/Windows Priv Esc

I’m cheating here, but I’m going to combine Linux and Windows Privilege Escalation rooms together for the number four spot.

Created by Tib3rius, these rooms are geared towards teaching some of the most important techniques that are required to go anywhere in this field. A short list of what you will learn are

Linux:

  • Weak File Permissions
  • Cron
  • SUID
  • NFS
  • Kernel Exploits

Windows:

  • Registry
  • Scheduled Tasks
  • Token Impersionation
  • Service Exploits

This is a short and sweet description, but nothing can really be said other than if you want to be a penetration tester / red teamer than these two rooms are essential.

A small bonus I found helpful was to take the Udemy courses by Tib3rius as I did these rooms. The Udemy videos and TryHackMe rooms do an excellent job complimenting each other.

Links to the Udemy courses can be found here.

3. Biohazard

For those that do not know this about me, I love the Resident Evil games and Biohazard does a phenomenal job capturing the feel of playing a RE game while hacking.

It is one of the more “video game” like rooms in both name and execution. You are tasked to collect flags and discovered hidden files, folders, pages, keys, images, and anything else scatted on the box to complete this room. It is simply a blast to play.

It can be difficult and at times I would get stuck and get a bit frustrated, but that emulated the feel of the RE games so much that I had to smile. Come prepared to think outside the box and don’t forget about that ever important source code to get by.

Not beginner friendly and it is one of the paid sub rooms, but if you haven’t played this room and love the Resident Evil franchise then I highly recommend this room.

Even if you do not play the Resident Evil games I still recommend this room. It is nothing but a crazy, fun puzzle.

2. Mr. Robot

This room is simply charming and fun to play with. Similar to Vulnversity it comes with a video guide by Darkstar to help hold your hand and provide though process and techniques used to help get through the room.

This room is marked as medium difficulty, but I would say it is one of the best rooms to transition someone that has been doing easy rooms and wants to step their game up and try the medium difficulty rooms.

If you are looking for a fun room to step up your game and have fun. I cannot recommend Mr. Robot enough. I was smiling and having such a blast hacking this box. It is easily one of the best TryHackMe has to offer.

1. Internal

My absolute favorite TryHackMe room is Internal, created by Joe Helle aka TheMayor. I love rooms that are more geared towards real world challenges and are exactly like what a penetration tester would see in the wild. This room was also designed to help prepare you for the eLearnsecurity eCPPT.

Just like in a real penetration test you are given a scope of work and are encouraged to create a report. Once you have completed reading the briefing and start the machine you need to obtain a user.txt flag and root.txt flag.

This room is rather difficult and not for beginners. It is a fantastic room to see where your skills are at and what needs improvement. Do not use a guide for this room. Internal is a room that if you can complete without help can really demonstrate to yourself that you have a good skill set when it comes to penetration testing.

TheMayor truly knocked it out of the park creating this room and even though I have completed it I will often come back to again and again just like one of my favorite video games. The amount of detail put into this room is excellent and I cannot recommend it enough to put your skills to the test.

In Conclusion: I hope this blog has provided some insight for those looking for suggestions for rooms on TryHackMe. TryHackMe has been a huge part in my growth as a Penetration Tester. The overwall number of rooms is huge and it can be a bit much to find the next room to do and I hope this helps someone!

If it does, feel free to send me a message on Twitter and let me know!

PNPT Experience

Introduction

This blog post was written to help provide information and express my feelings about studying for and taking the Practical Network Penetration Tester (PNPT) exam by TCM Security.

The reason I decided to take this exam was because I felt that I struggled with Active Directory Pentesting and this exam offered a means for me to improve in that area and help me to level up as a pentester. I currently work on external pentests, web application pentest, and external red team pentest. However, I also wanted to acquire the skills needed to work on internal pentesting.

I bought the exam and training material for $400. One major plus for the PNPT is that it felt like the first exam I have taken that I would be confident in saying that the course material is all you really need in order to pass the exam. The study material points to other references for reading or practicing your skills, so I did not feel the need to buy anything else to study.

One more thing I would like to highlight before I get into the study material is the material and exam take a real world approach. The biggest hurdle some might have to overcome is to not treat this like a CTF and to instead treat it like a real engagement. As someone that does penetration testing for a living, this exam and study material hit the mark.

Study Material

The Practical Ethical Hacking course is a great resource packed with essentials information. The material includes:

  • Basic Networking
  • Introduction to Linux
  • Introduction to Python
  • Information Gathering
  • Vulnerability Scanning
  • Buffer Overflows
  • Active Directory
  • OWASP Top 10
  • Wireless Penetration Testing
  • Report Writing

My attention was purely on the Active Directory portion of the material and what I spent the majority of my time on. However, I want to stress that I used the Buffer Overflow material here to ready myself for the eCPPT and for the eventual OSCP. TCM Security offers courses I would argue could replace other vendors’ study materials.

Going through this should help give someone the basic knowledge of penetration testing.

The Windows Privilege Escalation course is packed with excellent material and might have been my favorite course to go through. The course will cover:

  • Kernel Exploits
  • Stored Passwords
  • Potato Attacks
  • Registry
  • DLL Hijacking
  • Service Permissions
  • Capstone Challenges to test knowledge of Windows Priv Esc. via Hack the Box and TryHackMe.

The Linux Privilege Escalation course will help provide material on how to escalate privileges on a linux host. I want to say that I truly appreciate the inclusion of capabilities and Docker. The course includes:

  • Kernal Exploits
  • Enumeration
  • File Permissions
  • Sudo
  • SUID
  • Capabilities
  • Scheduled Task
  • Root Squashing
  • Docker
  • Similar to Windows, you will get Capstone Challenges via Hack the Box and TryHackMe.

The OSINT Fundamentals course provides material on how to gather information about a target. This provides a real world engagement feel on encountering a target and gathering all the information information about that target. The course will teach you how to hunt down:

  • Emails
  • Passwords
  • Usernames
  • Social Media Accounts including
    • Facebook
    • Twitter
    • LinkedIn
      Instagram
    • Reddit
  • Website OSINT
  • Using tools to gather information
  • Report Writing

The final course is the External Pentesting Playbook. This material is designed to help show what pentesters do when attacking an external network. It goes against the CTF style of just checking exploits at a machine and seeing what sticks. It has a focus on:

  • Attacking Login Portals
    • Office 365
    • OWA
    • Standard Login Portals
  • Insufficient Encryption
  • Username Enumeration
  • IKE Aggressive Mode
  • Insufficient Traffic Blocking
  • Open Mail Relays
  • Client Debriefs

The Exam

The exam’s structure gives you five days with the exam lab and then two days to write a professional report. After writing the report you will submit it for review and if you meet the objectives you will get an email to schedule a time to do a fifteen minute debrief over the report. Again capturing that real world feel of talking to a client and going over the report and findings. You can use whatever tools you want for the exam.

When the exam started I was given all of the information needed to complete the exam including what objectives need to be met and a sample report to help show how the final report should be structured.

TCM Security provided a stable and solid network to attack. This was a breath of fresh air after working on the eCPPT and eWPT this year, with their unstable exam environments that were unusable for hours.

As I moved through the exam environment I took breaks, ate meals, spent time with my family, and rested my mind when I needed to. I would get stuck a few times, but I felt the exam did a good job of rewarding for enumerating, taking good notes on the findings, and using that information in the exam. I never felt frustrated, which is a great feeling taking a major exam.

The best advice I can give is:

  • Know and understand the study material and do the labs provided by TCM Academy.
  • Feel confidant in Active Directory Attacks.
  • Know how to write a good and professional report.
  • Understand the exploits and how to remediate them.
  • Read through the provided information from TCM Security thoroughly and understand what you can and cannot do.

Final Thoughts

I really enjoyed this exam and the content provided by TCM Security through TCM Academy. I learned a lot going through it and had a lot of fun doing the exam. It’s one of the exams I would do over again just because I felt it was a lot of fun. The report writing is always the boring part, but the exam was great. I truly enjoyed this experience and the fact that it captures the feel of a real life pentesting engagement.

I hope more pentesters and aspiring pentesters look into TCM Security as a budget friendly and quality training material and wish you luck on the exam if you choose to take it!

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Good luck!

eCPPT Experience

Beginning of 2022 I had two goals in terms of getting certifications. Get the eWPT and the eCPPT. I can happily say I have earned the eWPT and the eCPPT this year. Mission accomplished.

I’m writing this post because I want to provide helpful feedback for the eCPPT. I will cut away the fluff and get to the important stuff to help answer common questions. I will not be doing a day by day break down.

The lab is seven days of testing/hacking and seven days of report writing. It took me four days with the exam lab to get everything knocked out and two days of report writing. I had the results back in a couple days after submitting the report.

To prepare for the exam, I did all of the INE Penetration Testing Professional labs under the Penetration Testing: Network Security and Penetration Testing: Linux Exploitation.

The System Security for Buffer Overflows has good content. It gets a bad rap in my opinion. It’s useful, but the best way to prep for the Buffer Overflow from INE is the Exploitation with Ruby under the Metasploit & Ruby section. That’s the best way to get hands on practice from INE for BOF.

The Web App Security is a personal section I did not do much of, mainly because I did the eWPT. I would recommend taking the time to go through it and do the labs as well to learn about SQL Injection, Cross Site Scripting, and the other good to know web exploits.

Now I made that section because I believe the material from INE was good. If you don’t have that material because it is expensive, I recommend the following resources.

The last bit of advice I can give are to make sure you are comfortable with pivoting, proxychains, and port forwarding. You will live in proxychains for this exam.

I will also say the exam stability for me was a nightmare and I hope it works well for you. I took a few days off from work and the lab would not start for ten hours on Saturday. I tried to start at 8AM and kept getting errors about starting up the lab. The issue eventually fixed itself around 6PM. Elearn needs to work on more stable exam labs as I have heard similar issues with other people taking this and other exams.

You most likely will not know if you are ready until you start the exam. My rule is to go with the flow and figure out as you go. Don’t stress too much. Take breaks, rest, sleep on problems, and just try stuff. Learn as you go.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Good luck!

eWPT Experience

Beginning of 2022 I had two goals in terms of getting certifications. Get the eWPT and the eCPPT. I can happily say I have earned the eWPT and will be working towards the eCPPT later this year.

This will be a post describing my thoughts on the INE study material, thoughts on the eLearn Security eWPT exam, how I studied for the exam, and what advice I have for those looking to take the eWPT.

For those that don’t know, the eWPT is a certification offered by eLearn Security and study materials are provided by INE to prepare yourself to take and pass the exam. You have seven days with the lab to hack and seven days to write the report. The report you submit is what is graded and determines if you pass. This is not a CTF style exam. First tip I will give is to start your report and work on it while taking notes and doing the lab work.

Initial Thoughts

At the beginning of the year I was really excited to take this exam. I felt INE had great materials to learn from, although they are a bit dated. The study material on Flash is worthless in 2022. You can skip that part and I would not be surprised if it was removed this year.

I felt INE did a good job covering XSS, SQLi, information gathering, session security, file upload attacks, CMS attacks, and noSQL databases in the slides and videos.

I will cover my opinions about the transition of the labs in my study material section.

After a few weeks of working on study materials I felt ready for the exam, I picked the first Friday evening in February and started the exam. Getting it up and ready took a few minutes of tinkering with the VPN and reading the Letter of Engagement. The Letter of Engagement is pretty straight forward, but very simple and not very professional looking. It lacks details. Just make sure you read it and understand it as it states a pretty important factor that needs to be done in order to pass, although it is not enough alone to pass.

The exam was pretty fun to say the least. It is a professional looking web application and something I would see in the real world. It has vulnerabilities and your job is to find them, report them and provide remediation’s. Just like on a real engagement.

After a few days into the exam, I felt I had everything needed to create my report. I wish INE would have a section in each course to talk about report writing. I feel report writing is being overlooked and for an exam that requires a report to pass, it would help to include something for those that have never written a penetration testing report.

Study Material

The study material I used to prepare myself were the Web Application Penetration Testing videos, PowerPoint slides, and labs offered by INE. An annoying issue on the INE platform was while working on the labs in the month of January, INE decided to update the Web Application Penetration Testing labs from their custom built labs to offering DVWA and Mutillidae hosted labs.

While I am a fan of the ability to click a button and have an ready to learn environment and have hands on practice, I was enjoying the labs (that worked) that were offered by INE and I’m a bit disappointed with the Web Penetration offerings now.

I am disappointed that the custom built labs for the eWPT have become free and open-source labs anyone could download from the internet and setup on their own machine. I feel like I wasted $500 and I hope the eCPPT will help me feel not so ripped off.

I also used The Web Security Academy from PortSwigger to get more hands on practice. Honestly if you only cared about getting the eWPT and wanted to save money, you could easily get the materials you need to pass the exam with the WebSecurity Academy from PortSwigger. They offer amazing labs and learning material that in a few cases are better than what INE offer. I find it funny that PortSwigger Labs are free, but a much better value than INE labs that cost $500 (when on sale) to access.

Other than these two sources I did not use anything else to prepare myself. The INE Web Application Penetration Testing course shows everything you need to know to pass the eWPT. I feel PortSwigger Academy is a great resource to also prepare yourself, but it’s not required to pass.

Final Review and Advice

My final thoughts about the eWPT exam are: I feel it is a good web penetration testing exam. It is fun and I am proud of my accomplishment in earning my certification. I did learn a few things while taking the exam.

My critiques are: the Letter of Engagement needs more detail. I feel it’s a bit too simple and vague to be passed off as a professional letter of engagement.

The labs from INE are bad. I cannot sugar coat this. I feel ripped off that I paid money for open-source labs. When I first started off with INE, they had great labs that you needed to access via a VPN and they were better than DVWA and Mutillidae. INE, please go back to having quality labs you built to prepare students to pass an exam.

The good parts are the exam is fun. It really is a great feeling when you find an exploit in the exam. A few of them really make you work for them.

My last bits of advice. When I do web penetration test I use two main tools. Burp Suite and SQLMap. These are my go to’s and I had them open for the entire exam. They can do almost all of the work if you know how to use them correctly.

SQLMap will save you time and headaches. BurpSuite Repeater is also important. Everyone has different tools, but all I needed to pass was a good knowledge on how to use these effectively. (If you prefer ZAP, go for it. Burp is just my go to. Proxy tool)

Good luck!