The eLearnSecurity Web Application Penetration Tester (eWPTv1) exam is a professional-level penetration testing certification offered by INE/eLearnSecurity. As with all certifications, preparation is of utmost importance, as this exam will test your knowledge of web app exploitation.
The exam is both practical and written, evaluating the candidate’s ability to perform a real-world penetration test in a simulated environment. This includes finding several different ways of exploiting the application . The tester is then required to write a professional report based on the vulnerabilities found in the application. Once the report is submitted, it may take up to a month to receive the exam results.
Who is this Certification for?
The eWPT is designed for people who have prior web application testing knowledge. This includes understanding the OWASP Top 10, knowing how to use Burp Suite effectively, and being familiar with web application enumeration tools such as gobuster, nikto, nuclei, etc. This certification, alongside eCPPT, serves as the next step up from the eJPT exam. It will teach you various attacks and techniques, such as SQL Injections, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), File Upload vulnerabilities, and much more. I would not recommend this certification for complete beginners, as there are some advanced topics that need to be understood to pass the exam. It will take a lot of time to prepare, but if you grasp the topics discussed in the course material, you should be ready for the exam.
I purchased the 'BOOGO' sale in October 2022, which I used to prepare for both the eCPPT and eWPT exams. After starting the course, I found that there were some techniques I had a hard time understanding. I used the course materials and external resources to help me grasp these concepts, which I later encountered in the exam.
Throughout the course, I noticed that some of the material was outdated, as it covered topics like SOAP/Web Services, Flash attacks, XPath, and Clickjacking. While it's beneficial to learn about these topics, they are rarely encountered in real-world client engagements. After completing the course, I compiled a list of attacks I expected to see in the exam and delved into learning them in-depth using resources like Tryhackme and PortSwigger Academy labs, to which I have provided links below.
Overall, I found the exam to be a thorough test of my web application knowledge. Some parts proved to be challenging, such as Clickjacking, Session Hijacking, and CSRF . To overcome these difficulties, I made a conscious effort to continually research and identify potential vulnerabilities that I might have overlooked.
Pros and Cons of the Exam
- New techniques learned to assess web applications
- The course teaches you everything you need to know to pass the exam
- There is ample time given for the testing and reporting phase
- The course and exam are outdated
- The only explicitly stated way to pass is to obtain admin on the application
- There is no set number of vulnerabilities you must find to pass
- The environment can be unstable at times, meaning you must reset it
Tips for the Exam
Utilize Google, if you don’t understand a concept or an attack; don’t be afraid to go out and research it. If you still cannot comprehend it, there are always YouTube videos that explain it clearly.
Report as you go through the exam. Don’t wait until the last minute to get screenshots, as you will lose access to the environment after the 7th day of testing.
Leverage websites that offer labs to test your knowledge of specific attack vectors. I have linked Tryhackme, and PortSwigger Academy labs, which I found to be helpful during my preparation.
The Bottom Line
The exam will help you to understand how to enumerate, research, and exploit a web application. The skills learned throughout the course will be beneficial during real-world engagements. Overall, the exam is well worth the time and effort, as you will have acquired another set of invaluable skills.