Finally! As promised, I am sharing my tips and tricks on how to pass the eWPTXv2 exam by INE and eLearnSecurity on your first attempt, using nothing but free resources. This exam is by far the hardest exam that I have taken to date, and I thought it would be the one that ends my streak when it comes to passing certification exams on my first pass. But.. I did it.
But of course, if you'd like proof, here it is: https://verified.elearnsecurity.com/certificates/a7cdc42b-bb12-4e72-bdfe-96105864d55e
All jokes aside, if you struggled through the eWPT exam, then you are not ready for the eWPTXv2 exam. In my opinion, INE/eLS should have created a certification in-between the eWPT and eWPTX given the degree of difficulty. If you struggle with Java Deserialization RCEs, Server Side Template Injections, PHP Object Injections, advanced SQLmap usage or the ability to chain vulnerabilities together, then you may want to hit the labs. I suggest being comfortable in reading code, along with being able to write simple scripts with a focus on PHP! ;) However, don't fret! I am outlining the resources I used to prepare, and some of the vulnerabilities to anticipate for your journey ahead.
Also, I am available on Twitter @grumpzsux if you have any questions, please feel free to shoot me a DM.
However, I will NOT be giving out any answers! If I had to feel the pain and sleep in a puddle of my own tears in the fetal position, you shall too!
Let's get this party started.
Master the Art of The Following Vulnerabilities:
PHP Object Injection
Server Side Template Injection (SSTI)
Server Side Request Forgery (SSRF)
Second Order SQL Injection
Note: please do not depend on SQLmap for each SQL injection that you find, not all of them can be exploited using SQLmap, and you may need to exploit them manually. In this case, be sure that you understand why you are using special characters like
#when testing manually. ;)
Anti-CSRF Token Bypass using SQLmap
Out-of-Band (OOB) XML eXternal Entity Injection
Host Header Injection
PHP Coding Resources
Stored Cross Site Scripting (SXSS) <-- assuming you're 31337 already
Reflected Cross Site Scripting (RXSS) <-- assuming you're 31337 already
Time-Based SQL Injection (SQLi) <-- assuming you're 31337 already
Just to finish this article off, please ensure that your enumeration through each phase of the cyber kill chain is diligent. Don't be afraid to dig deep, checking for hidden directories, subdomains, and endpoints that can be used to craft attack chains. Just because you find one vulnerability, don't stop there, see if there is a way to chain that vulnerability to another vulnerability to create a more impactful attack chain. ;)
I feel that this exam is worth doing if you are going to focus on web applications, I feel the attack chains are modern, and not as out dated compared to the eWPT exam. Given that I triage reports for a living at Synack, I am exposed to web app vulnerabilities all day, and it aligns fairly well compared to what is being submitted currently.
Critical thinking is what will make you successful.
Good luck my fellow nerds. - Sergio Medeiros