Context
After a few months away from ElearnSecurity certifications, mostly due to OSCP preparation, I decided to take the second web course and certification they offer: Web Application Penetration Tester eXtreme (eWPTXv2). It was the logical sequel to the ElearnSecurity web application pentester certification (eWPT) I took a while ago and the course outline seemed promising.
I passed the certification recently and wanted to give some insight on both the course and the exam.
The price of the certification is $400. To that you have to add unlimited access to all ElearnSecurity courses that costs $750 a year. As I said in previous articles, the more certifications you get from them the more amortization of that cost you have.
Format
As usual for ElearnSecurity’s, the course is a mix between slides, videos and practical labs. Practical labs did not include more difficult “challenge” labs this time compared to the WAPT course.
Labs can be accessed via a VPN connection or a web-based virtual machine. It is a convenient way to learn at your pace.
Course
I found the course to be a good addendum to the WAPT one, covering less known and more recent areas of web pentesting. There are a lot of tips that are applicable to the typical day to day web pentest. I think this is more relevant to today’s penetration testing assignments than the WAPT course because it follows the web developpement trends such as the intensive use of APIs I see in my job. In particular, I enjoyed that the course had sections on:
- XML attacks (including advanced ones)
- Server-side attacks such as SSRF, XSLT and template injections.
- Authentication attacks on JWT, OAuth and 2FA bypasses API pentesting: REST, SOAP etc.
The evasion sections on both XSS and SQL injections is though less interesting and mostly applicable to WAF bypassing. The related labs feels like a CTF, with a “know the exact bypass or do not succeed” approach. I did have to look to solutions to some of the levels of these labs having no clue of what was expected. On another hand, presentation of sqlmap tamper features were very instructive and I even ended up adding a script in the project.
The crypto part was quite surprising, with labs asking to code a padding oracle, pretty far from web pentesting.
There is less focus on methodology compared to the WAPT course, really making this course for people that either already have taken WAPT or that have done web penetration testing before.
I had quite a lot of issue accessing the labs, probably because INE (the plateform behind ElearnSecurity) was doing maintenance operations and I ended up not doing the last labs before trying the exam. The support was quite helpless, with answers saying that they were aware of the problems and trying to fix the labs but unfortunately I spend almost two weeks waiting before giving up and decided to move forward to the exam.
Exam
The exam is a blackbox web penetration test. There are several minimal objectives to acheive that are necessary but not sufficient to pass. A full penetration test report is expected. I used the same template than for the eWPT report.
The exam duration is 14 days total including 7 calendar days access to the exam labs and 7 more calendar days to upload the report.
In my opinion, it is more difficult to get everything in time than eWPT so be ready.
I had a lot of issues with the stability of the exam lab with some parts working only once in 12 resets, having 4 resets per day, it made me loose a lot of hours. I am apparently not the only one that was in that situation.
I used the two attempts to pass, in the first one only being able to complete half of the necessary objectives. I retook the exam straight after getting the examiner feedback and I almost immediately was able to complete the necessary objectives, adding several observations to the report as well.
I found the exam to be quite fustrating, both because of the lab instability but also because of some parts being very CTF-ish, requiring guessing at some points. I would not rate it extreme in difficulty but it is harder than eWPT because of the number of tasks to be completed.
A piece of advice
- Complete all labs from the course
- Report “as you go”, do not leave all reporting once you cannot access the exam lab anymore. You may be lacking a screenshot or a command line.
- Use the report guidelines from WAPT to template your report
- Prepare generic payloads for the different attacks described in the course and have them ready
Conclusion
I would recommend the course to everyone as the contents are good and relevant to web pentest assignments that a professional can get. I however think that the exam is questionable.