I finished the Web Application Penetration Tester course from eLearnSecurity a couple months ago. This was a long time coming, and I had delayed studying for this course for quite some time but finally got around to finishing it off before I completely forgot about it’s existence. I haven’t posted a course review in a while, so I decided this exam would be the perfect opportunity to write down my experience and thoughts on the course overall.
The material covered by the course covers a range of web application testing, split into individual modules. Each module has corresponding videos, slides and labs with which to study and cement your learning. The course outline lists the following specific modules covered by the WAPTv3 course:
- Penetration Testing Process
- Introduction to Web Applications
- Information Gathering
- Cross-Site Scripting
- SQL Injection
- Authentication and Authorization
- Session Security
- File and Resource Attacks
- Other Attacks
- Web Services
- Penetration Testing Content Management Systems
- Penetration Testing NoSQL Databases
Though this is an extensive list when it comes to web application testing, not all modules were created equal. Some modules were far more detailed than others, whereas some barely had enough content to warrant it having its own specific module. Some modules were also notably missing or not covered in as much detail as I would have liked. For example, deserialisation and XXE attacks are two of the OWASP top ten security risks and should have had more content than what was included in this course. Other modules such as Flash seem nearly redundant given its use in current web applications and the fact that it will no longer be supported by modern browsers from December of this year.
The overall video and course material quality was very high though, with clear illustrations and explanations provided that made understanding these concepts much easier.
The labs are where I tend to find the most value in these practical certifications, and I found these to similarly be hit or miss. Labs are primarily split into two sections, the ‘lab exercises’ and the ‘lab challenges’. Lab exercises have step-by-step walkthroughs ptovided, so you can get some practical experience with a vulnerability in a more guided manner. Lab challenges do not have any walkthroughs available, and are instead intended to be harder exercises to demonstrate full competence over the content covered by the module. The difficulty of the challenge labs seemed fair for the scope of the course, and I found some of the labs challenging enough where I needed to spend multiple hours or seek extra hints from the student forum.
In terms of the labs themselves, they felt somewhat outdated and were often quite unrealistic. They often required extremely specific use cases of a vulnerability that would not be seen in any real life scenarios and as a result the method to solve these labs were something I never would have thought of without getting extra hints. On one hand, gave me exposure to new attack vectors, but I often felt like they bordered on the theoretical CTF-esque challenges that aren’t directly applicable to real world engagements.
It’s also worth noting that labs were difficult to configure and did not always run smoothly. In same cases, I outright couldn’t get the labs to work at all and didn’t think it was worth my time troubleshooting in order to get them working correctly.
Unfortunately, the exam was even more outdated than the labs were. The course content is the version 3 of the WAPT, but the exam has not been updated since its initial release well over 5 years ago. Without giving away any spoilers, the exam was also not as broadly scoped as the course content was. I was a bit disappointed to find that only a few of the modules were relevant in the exam, with some of the more interesting or difficult vulnerabilities not required to pass the certification.
As usual for eLearnSecurity certifications, a full pen test report was required. In total, I wrote a 30 page report with 20 vulnerabilities identified.
Overall, I wasn’t super impressed by the WAPT. I feel like the exam in particular needs a lot of work, and the course modules require more refining to better reflect what would be seen in real world engagements. One of the aims of the certification is to “make you a proficient professional web application pentester” and in my opinion this is not quite true.
Given the cost of the certification and its general lack of recognition in the industry, I think anyone looking to improve their web application testing skills should consider the free PortSwigger Academy labs.
With that said, I enjoyed the overall course and exam, plus it’s always a good feeling to get pass certifications – especially ones that require you to prove your practical skills!
Looking forward to further learning and improving,