Just going through the list of lab categories, not using any knowledge from what I saw on the exam itself, we can categorize them into what you should be looking for when. Tip 5įocus on the vulnerabilities relevant to the stage you are on. There also may be hints in the wording of things as to what the vulnerability is or what may be happening behind the scenes. If you don’t make any progress, take a step back, and then see what other type of vulnerability it might be. The reason I failed one of my attempts was that I got stuck thinking the new functionality had to be one type of vulnerability when it was something completely different. Because of that they are great reference to look at during the exam. There are few, if any, curve balls of anything not covered in the labs. However, for a lot of this you can just as easily copy it from the solutions of related labs and modify it for your specific use case. You will likely want proof of concept code to exploit vulnerabilities. Search the PortSwigger documentation and labs. In addition, create some scanning configurations ahead of time for select vulnerabilities you want to look for. PortSwigger has a guide on scanning specific inputs here. As you’re going through the application get it started right away. Use selective scanning and start it as soon as possible. If you get access to a user account you should then look at what additional functionality is exposed that wasn’t accessible unauthenticated. Because of this you can determine any additional functionality or differences at each new step. Each of the applications across the lab and exam use the same exact base blogging site. They have their quirks, but for the price of free it can’t be beat. It is some of the most thorough and organized content out there for web security. I’m interested though to see how that exam would work if they stick to the same time limit.Īlso, if you haven’t checked out the PortSwigger labs yet, I highly recommend them even if you don’t plan on taking the exam. I look forward to any other certifications that PortSwigger creates. It forced me to adapt some of my methodology to be faster and more focused.įrom the questionnaire after the exam, it sounds like this one is more targeted toward the practitioner level and another expert level certificate may be coming at some point. Compared with some of the exams from Offensive Security, the biggest adjustment was getting used to the much shorter time limit. Overall, it was a fun experience and I learned some things from the labs and the exam. The third exam I ran into the same exact vulnerability that stumped me the 2nd time but I was able to take a step back and figure it out. The second time I completed 5/6 of the exam and got stuck in a rabbit hole thinking there should be a different vulnerability than it actually was. Since then, PortSwigger has raised the time limit to 4 hours which helps. At the time, the exam was only 3 hours long and I was trying to get familiar with the platform while taking the exam and ran out of time. This was a mistake as you should be very familiar with the exploit server and how to use it to deliver payloads to the simulated users. I had only gone through several of the labs the first time I took the exam. The exam isn’t too difficult if you are well prepared. It took me three attempts to pass the exam and if you don’t make some of the mistakes I did you can likely pass in less. Stage 3 - Find a way to read the file at /home/carlos/secret Stage 2 - Escalate privileges to the administrator account. Stage 1 - Get access to a low privileged user account. These vulnerabilities need to be exploited in order as each of the three stages gives you access to more of the application. The exam consists of two applications that have three vulnerabilities each that need identified and exploited. The typical price for this is $99 dollars, however, I purchased several attempts around Black Friday when they had it for $9 dollars. The following are my thoughts on the fairly recently released Burp Suite Certified Practitioner exam and some tips if you plan on taking it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |