I began my journey pursuing a cyber security career professionally about a year ago, with the focus on obtaining only hands-on practical certifications with the intent to pivot careers after a decade-long run in Sales. Currently, I have obtained the eJPT, eCPPTv2, eWPT and eWPTXv2 certifications, and work on the Vulnerability Operations team at Synack.

With that being said, I wanted to talk through my journey on how I managed to pass the eWPT exam on my first try, without using any of the INE resources.

Yes, it can be done! How bad do you want it?

(proof of my certification, if you need to be convinced, lul.)
verified.elearnsecurity.com/certificates/a6..

First, let's start with the obvious if you have completed your eJPT, or even your eCPPTv2 certifications, you may find this certification challenging if you have not sharpened your skillset for pentesting web applications. If you are not comfortable with exploiting Boolean Blind, Error Based, and Time Based SQL Injections, or testing for Reflected and Stored Cross Site Scripting vulnerabilities, along with detailed professional report writing, I highly suggest you follow the material I list below.

To summarize the tasks that you need to complete during the exam, you will need to show that you can access a restricted Admin area of the web application. However, just being able to do so is not sufficient to pass. You will need to treat this exam as if you were hired by the client, audit every asset owned by the client, and report every vulnerability that you found, including informational findings that may be valuable to the client. (I did!)

I enjoy providing value to this community, and the best way I can do that is by providing the resources I used to study that helped me pass the exam on my first attempt. I highly suggest that you use this article as your bible when preparing to take the eWPT exam.

Side Note: Please do NOT reach out to me if you think I will give you the answers for the exam. I felt the pain, you will feel the pain too. Don't be lazy. If you reach out looking for answers on the exam, this isn't the industry for you. Don't be a n00b.

Buckle up buckaroos! Let's get this party started!

Cross Scripting Resources

Reflected XSS

• https://portswigger.net/web-security/cross-site-scripting/reflected

• https://brightsec.com/blog/cross-site-scripting-xss/

• https://www.youtube.com/watch?v=k4lUX55uNM0

• https://public-firing-range.appspot.com/reflected/index.html (free labs!)

Stored/Persistent XSS

• https://portswigger.net/web-security/cross-site-scripting/stored

• https://www.thesslstore.com/blog/the-ultimate-guide-to-stored-xss-attacks/

• https://www.exploit-db.com/docs/english/18895-complete-cross-site-scripting-walkthrough.pdf

• https://www.cobalt.io/blog/a-pentesters-guide-to-cross-site-scripting-xss

• https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded (lab!)

• https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded (lab!)

SQL Injection Resources

Remember.. SQLmap is your best friend when exploiting these vulnerabilities. The -r switch goes a long way! ;-)

• https://github.com/sqlmapproject/sqlmap

• https://dl.packetstormsecurity.net/papers/cheatsheets/sqlmap-cheatsheet-1.0-SDB.pdf

• https://portswigger.net/web-security/sql-injection

• https://hippidikki.wordpress.com/2018/07/12/using-sqlmap-on-a-soap-request/

Boolean Blind SQL Injection

• https://www.hackingarticles.in/beginner-guide-sql-injection-boolean-based-part-2/

• https://www.hackingloops.com/boolean-exploitation-technique-to/

• https://www.youtube.com/watch?v=MfDo_ssS4PY

• https://null-byte.wonderhowto.com/forum/explotation-blind-boolean-based-sql-injection-by-mohamed-ahmed-0179938/

• https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses (lab!)

• https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors (lab!)

• https://portswigger.net/web-security/sql-injection/blind/lab-time-delays (lab!)

• https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval (lab!)

Error-Based SQL Injection

• https://medium.com/@hninja049/example-of-a-error-based-sql-injection-dce72530271c

• https://gbhackers.com/manual-sql-injection/

• https://rstudio-pubs-static.s3.amazonaws.com/117265_97cc9bec3f4a4952b37369ade413e435.html

• https://akimbocore.com/article/sql-injection-exploitation-error-based/

Time-Based SQL Injection

• https://beaglesecurity.com/blog/vulnerability/time-based-blind-sql-injection.html

• https://www.youtube.com/watch?v=xHzH00vyVHA

• http://www.securityidiots.com/Web-Pentest/SQL-Injection/time-based-blind-injection.html

File Upload Exploitation

\cough\ I highly suggest you become a guru here. \cough\ ;-)

• https://portswigger.net/web-security/file-upload

• https://www.prplbx.com/resources/blog/exploiting-file-upload-vulnerabilities/

• https://www.youtube.com/watch?v=rPdn88pO7x0

• https://www.youtube.com/watch?v=b6R_DRT5CqQ

• https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload (lab!)

• https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass (lab!)

Session Hijacking

• https://www.thesslstore.com/blog/the-ultimate-guide-to-session-hijacking-aka-cookie-hijacking/

• https://www.youtube.com/watch?v=z6nUbsY5B-w

• https://www.youtube.com/watch?v=T1QEs3mdJoc

• https://resources.infosecinstitute.com/topic/session-hijacking-cheat-sheet/

Enumeration

Subdomain Brute Forcing

• https://infinitelogins.com/2020/09/02/bruteforcing-subdomains-wfuzz/

• https://sidxparab.gitbook.io/subdomain-enumeration-guide/active-enumeration/dns-bruteforcing

• https://pentester.land/blog/subdomains-enumeration-cheatsheet/

• https://0xffsec.com/handbook/information-gathering/subdomain-enumeration/#google-dorking

Directory Busting

• https://medium.com/@nynan/bug-bounty-recon-content-discovery-efficiency-pays-2ec2462532b1

• https://www.hackerone.com/ethical-hacker/how-recon-and-content-discovery

• https://www.youtube.com/watch?v=p4JgIu1mceI

• https://www.hackingarticles.in/5-ways-directory-bruteforcing-web-server/

• https://sushant747.gitbooks.io/total-oscp-guide/content/web-scanning.html

Low/Informational Vulnerabilities

• https://www.imperva.com/learn/application-security/clickjacking/

• https://www.geeksforgeeks.org/session-fixation-attack/

• Missing Cookie Attributes (use Nikto! https://cirt.net/Nikto2)

• No Rate Limiting? https://gaya3-r.medium.com/no-rate-limiting-on-form-registration-login-email-triggering-sms-triggering-5961b64a91cb

Report Template

• https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report

Wrapping up this post, my report turned out to be 102 pages, granted, it had a TON of screenshots, and I reported every finding I found. I wanted to be as thorough as possible, as this exam focuses heavily on being a "live" pentest, and the report writing element. You can crush the practical exam, but if you submit a bad report, they will fail you. Please for the love of god, focus on the report quality!

All in all, I feel the exam is laid out pretty well, granted some of the exploits are starting to become a bit obsolete, but I was still banging my head against the keyboard.

Remember... eat. sleep. shower. go outside. (without your hoodie)

You have 7 days to hack everything and reach the Admin area, and another 7 days to write a professional report, which I feel is more than enough time to complete. I did the hands-on part in roughly 2 days. However, to be fair, this is my career, which is solely focused on web exploitation.

eLearnSecurity, responded in 24 hours after I submitted my report!

I hope I was able to provide some value for you guys and gals. If you have any questions, please reach out to me on Twitter: @grumpzsux

Hack the planet, my fellow basement dwellers.

-GRuMPz