eWPT exam review

Hey there, since I’ve taken eWPT a while ago I decided that I should make a review about it, so here we go.

What is eWPT?

eWPT stands for eLearnSecurity Web application Penetration Tester, it is a completely hands on exam in which you are required to assess a company’s web infrastructure and write a professional report with your findings.

The exam lasts 14 days (2 full weeks), in the first 7 days you are required to try and find any possible flaws on the websites, the remaining 7 days are for report writing.

The exam requires some good web application pentesting skills, here’s a list of what eLearnSecurity’s recommended prerequisites are:

  • Letters of engagement and the basics related to a penetration testing engagement
  • Web application standards and protocols
  • Functional and infrastructural analysis on web applications
  • Vulnerability assessment of web applications
  • Manual exploitation of web applications
  • Ability to perform post-exploitation techniques
  • Outstanding reporting skills

eLearnSecurity states the following

By obtaining the eWPT, your skills in the following areas will be assessed and certified:

  • Penetration testing processes and methodologies
  • Web application analysis and inspection
  • OSINT and information gathering techniques
  • Vulnerability assessment of web applications
  • OWASP TOP 10 2013 / OWASP Testing guide
  • Manual exploitation of XSS, SQLi, web services, HTML5, LFI/RFI
  • Exploit development for web environments
  • Advanced Reporting skills and remediation

As I previously said in the eCPPT review, I can 100% guarantee that everything eLearnSecurity states is true and you will be assessed in those areas.

Preparation

The best preparation you can do for this exam is to take its official course, which is WAPT, offered by INE.

Other than that, these are some resources that you might want to take a look at before starting your exam.

  • TryHackMe’s NahamStore room (https://tryhackme.com/room/nahamstore) - It felt like the actual exam, but a bit easier (do it one day prior to your exam day).
  • TryHackMe’s Web Fundamentals Path - Do this whole path before even starting doing the course, it’ll give you rock-solid foundation.
  • PortSwigger’s Web Security Academy - (https://portswigger.net/web-security) - If you can’t afford an INE Premium sub, you can surely take the exam and pass it just by doing labs from PortSwigger’s WebSec academy.

Exam day

The exam started out like the eCPPT’s one, Letter of Engagement, basic recon etc.. You’ll quickly start to find vulnerabilities here and there, but don’t think that’s all. There are some “obscure” vulnerabilities that you can miss them if you don’t pay enough attention.

The exam covers what you’ve learned during the course material. Having done all the labs while supposedly you took good notes along the way, the exam shouldn’t difficult at all. Of course it may throw you off in some circumstances but that’s up to you and how you can think in critical moments. (From eCPPT review)

Pro Tip: Don’t think like this exam is an exam / real pentest. IMO, think like you’re trying to do some damage to a company you hate (even though we don’t do that since we’re ethical hackers, aren’t we?) that’d give you the mindset that an actual attacker might have.

Result

The exam was fun and all, I’ve broaden my Web Application Pentesting skills, gained some experience and learned some neat tricks along the way.

I’ve got my eWPT results back fast, 2 days to be more specific. I know it may take longer for some people but it depends :)

  • Dec 11 2021 01:31:34 - Exam Started
  • Dec 12 2021 02:10:12 - Report submitted
  • Dec 14 2021 02:15:27 - Report Assessed

The result?

Link: https://verified.elearnsecurity.com/certificates/86ebfe40-74a4-4caa-a84b-d4ada08c04e9

I know people make these reviews maybe a bit longer and go in much more detail, but I just wanted to give my input and whether you liked it or not, thanks for reading.