My journey to becoming an eWPT

eLearnSecurity Web Application Penetration Tester (eWPT v1.0) is a certificate that provides you with practical knowledge about how to conduct a penetration test on a web application. You learn the most common web application vulnerabilities, how they work and how you can exploit them such as SQL injection, XSS, unrestricted file upload, and more. The certificate is focused on being practical, a hands-on keyboard approach where you have to get your hands dirty by doing labs.

The eWPT exam itself consists of two parts, the first part is hacking the web application and finding as many vulnerabilities. They provide you with a full week of access to the exam lab environment. The second part is writing a professional penetration test report, you have a week for this after the access to the exam lab has expired. So in short, after starting your exam and gaining access to the exam lab, you have two full weeks to submit your report. Let’s dive into how I prepared for this exam.

Study preparations

There are different ways how you can prepare for this certificate. I had a paid year subscription on INE which gave me access to the Web Application Penetration Testing course. This is also the official courseware for the eWPT exam. However, there are also free alternatives. I’ll give a quick summary of the INE course, my recommendation, and my timeline for preparing for the exam.

INE course

The course aims to provide you with all the necessary skills to carry out a penetration test against modern web applications. The most widespread web application vulnerabilities are covered, such as:

  • XSS (stored, reflected, DOM)
  • SQL injection
  • NoSQL attacks
  • CSRF
  • Path traversal
  • Local and remote file inclusion
  • HTTP response splitting
  • Authentication and authorization bypass
  • Flash attacks

Also included is how to attack CMS solutions such as WordPress. The course is roughly 16 hours long and combines slides, video, and practice labs. It provides a nice balance between theoretical knowledge from the slides, with practical exploitation examples in the videos, and finishing with you launching the practice labs and getting your hands dirty. This approach worked well for me as it wasn’t as tedious as the infamous ‘death-by-PowerPoint’ which I have experienced far too often. The labs were fun to do and when stuck also provide you the answers to keep moving. Sometimes a lab also includes challenge exercises that they do not provide answers for, these were a good real-world simulation of the eWPT exam. Where you can get stuck without being able to get hints on how to continue and provides you a bit of practice on being persistent and the ‘trying harder’ mentality. To be more concrete, this means when getting stuck you do not just look up the answer and go “Ah, well that’s how it works”, you go back to the study material and read up or just search for more information about the specific vulnerability to get a better understanding of how it works so that you can solve the challenge. To my understanding, this active study approach helps you better memorize, as it is a form of active recall.

Course recommendation

I liked the INE course as it provided all the information you needed to know to pass the eWPT exam. Based on your situation you may not want to spend all that money on the INE course. Do not worry, there are great alternatives that also provide practice labs and ample information about web application penetration testing. One example is PortSwigger Academy, from the creators of Burp Suite, which is a course I highly recommend as an alternative for the INE course as preparation for eWPT. It goes even more in-depth into web application vulnerabilities and also contains more advanced modules. Just make sure you complete all the modules that are needed for the eWPT exam. In the end, I think both the INE and PortSwigger Academy courses provide you with all the information you need to pass the eWPT exam, as long as you’re willing to put in the work: practice, practice, practice.

Study timeline

I finished both the INE course and PortSwigger Academy modules that were related to the eWPT exam. I started by going through the theory, watched videos on how a vulnerability can be exploited, and at last started practicing exploiting the vulnerabilities in the labs. As I already had experience with web application penetration testing, I prepared for 3 weeks, going through the courses and doing the labs. I studied for an average of 3 hours per day. After the 3 weeks, I did the eWPT exam.

The exam

The exam consists of two-part, the hacking part and the reporting part. When logging into the eLearnSecurity portal, and you click on start exam, you receive a few things. The first document is a letter of engagement which provides information about the exam, the exam lab, and what is expected from you as a penetration tester. Second, you receive an OpenVPN file which you’ll use to connect to the exam lab. Do not forget to add the DNS server to the /etc/resolv.conf file in your kali VM. The third document you’ll receive is a reporting guide. After you clicked on start the exam, you have a week of access to the exam lab and after that a week for finishing and submitting the report. Let’s dive into the hacking part of the exam.

The hacking part

I started by taking a close look at the scope and exam objectives written in the letter of engagement. Within the exam objectives, it was made clear that “A necessary but insufficient condition to pass the exam is to log in to the Administration area as the administrator user”. Also, it mentioned that the lab simulates active users browsing and working on the web application. I had my Kali machine ready to go and made sure to make notes and screenshots of all my actions, which made creating the report all that much easier. I made sure I had my evenings free, so I could fully focus on losing myself in the exam lab undisrupted.

The exam lab is a ton of fun, there are a lot of vulnerabilities to be found, and there are multiple ways of achieving the exam objectives. Having a full week of access to explore the web application provides you more than enough time to get the admin and find all the vulnerabilities. I think this makes the exam a fun experience, as you can create a plan to finish the exam that fits your situation. Want to finish the exam after working hours? Sure. Want to finish the exam in just a weekend? No problem. After three nights, where I stayed up late, I got admin and found a ton of vulnerabilities. That’s when I decided that I found enough to probably pass the exam. In addition, I wanted to start writing the report while still having access to the exam lab, so I could go back and get some more evidence when needed. Let’s talk about the reporting part.

The reporting part

In the end, you’ll be solely judged on the pentest report you submit. So doing this right is important. Make sure you read the reporting guide provided to get an understanding of what eLearnSecurity is looking for. It’s looking for an executive summary, vulnerability overview, and vulnerability findings. As this is a web application penetration test you can categorize the report by vulnerabilities to keeping things orderly. For example, I had a paragraph about XSS and wrote down the multiple XSS vulnerabilities I found in that paragraph. You do not have to start from scratch, great pentest report templates already exist. This one is great and is the one I used for the eWPT exam: TCM Security Sample Pentest Report. It was an advantage that I still had access to the exam lab to gather extra evidence for creating a professional report. Overall, I would say writing the report is good practice for getting you ready for being a good pentester. Also, I found the process of writing the report helpful for understanding the vulnerabilities because when you do not understand them, how could you explain them on paper? I submitted the report and after 17 days I received the glorious email: You are now an eWPT!

Conclusion

The eWPT certificate provides you with knowledge about how to conduct a web application penetration test. I found the exam fun, as there were multiple ways to reach the exam objectives and enough time was provided to fully explore the exam lab and write a professional report. The INE course provides a nice mix of theory, videos, and getting your hands dirty. However, free alternatives also provide the needed information to pass the eWPT exam and even a little extra. If you’re looking to get started with web application pentesting, the eWPT certificate is a nice start.

Some tips for the eWPT exam:

  • Practice, practice, practice
  • Do the challenge labs to simulate doing the exam
  • Take notes and screenshots of everything you do (I saved notes in markdown using VS Code)
  • If stuck, take a look at the given course material
  • Take your time writing a professional report with all the vulnerabilities you found
  • Have fun!

References

INE
INE Web Application Penetration Testing course
PortSwigger Academy
TCM Security Sample Pentest Report