Hi all, It’s been two months without any update in the blog. Uff!! Job, personal projects, eWPTX, all ate up my time. Because of many requests from my friends, well-wishers I am writing this post to share my journey in achieving eWPTX.
I will follow the format of Cracking OSCP and give my answers to frequently asked questions.
What is eWPTX?
eWPTX is a certification offered by Elearnsecurity. It is a certification to prove your skills in advanced Web application penetration testing (black box). You can either opt for the exam or can take the relevant training course named as WAPTX. The course talks about encodings, basic evasions of Web Application Firewalls, bypassing XSS filters, advanced CSRF, HTML5 attacks, advanced SQL injections (MySQL, Oracle, MSSql) and XML attacks.
How is it different from OSCP?
OSCP, offered by Offensive Security deals with the overall penetration testing of the given target. Even though it contains scenarios in lab machines where you exploit website vulnerabilities, it doesn’t much cover on Application security issues. OSCP’s exam style is more of a CTF combined with a report, but eWPTX exam mimics the process of a professional service to a client from getting the scope of a target to delivering the report in a commercial grade manner and reporting all the security issues ranging from high to low in a single web application.
Should I have to do eWPT?
Okay, eWPT is said to be the prequel to eWPTX. eWPT covers all the vulnerabilities in web application security. This course is extensive for the people who want to start in Web Application Hacking. Doing eWPT before eWPTX is relative and subjective talk. Please go through the syllabus for both the courses before you decide. To be noted, getting eWPTX certified doesn’t make you well versed in Web Application Hacking. eWPTX helps in bypassing firewalls, advanced exploitation, obfuscations whereas eWPT focuses on vulnerabilities that are present in Web Applications.
How is WAPTX course?
WAPTX course content is awesome and unique. Please find the syllabus here.
Yes, the course is more about bypasses and advanced concepts that help in the discovery or exploitation of vulnerabilities.
What was your learning process?
- I went through the syllabus of WAPT. Noted topics that I had to learn such as XPATH vulnerabilities
- I went through the Web Application Hacker’s Handbook once.
- Registered for the course WAPTX
- I would first go through the chapter contents, then watch related videos and try to do the labs myself.
- I go through the chapter again, whenever I hit a roadblock in labs. If I wasn’t still successful, then refer solutions.
- But I make a point to Google for such similar situations in CTF writeups, bug bounty writeups or any related theory.
How was my eWPTX exam?
In the exam, I was provided with a Web Application target and was asked to pentest in seven days. Furthermore, seven days are provided to submit a professional report with all the security issues found with PoC of their exploitation. The exam was fun, but it was pretty much easy if you have understood the concepts in the WAPTX. The best part is, the exam is prepared in such a manner that one need not be absent from work. Fun Fact, I had written my first report on Web Application Penetration Testing during this exam.