Over the past few months, I’ve been honing my web application testing skills by studying Portswigger Labs and Academy content. Recently, I decided to pursue Portswigger’s relatively new Burp Suite Certified Practitioner (BSCP) certification. Although Portswigger and Burp Suite have long been staples of the web application testing industry, the certification exam was only launched in July 2021 and isn’t as well-known as other technical security certifications on the market. Nonetheless, the BSCP has gained popularity due to its affordable cost ($99) and the high-quality, free course and lab content provided by Portswigger. As I progressed through the Portswigger Academy, I decided to take the exam as a way to cement my learnings in web application testing.
The exam is challenging, and many people find it difficult for two main reasons. First, to pass, you must complete two web applications, each with three stages: foothold, privilege escalation, and data exfiltration. You must complete all six stages flawlessly to pass the exam, which means you need to be proficient in identifying and exploiting different types of vulnerabilities. If you are weak in even one single area, it could result in a failing grade. For example, I initially struggled with HTTP Request Smuggling, Cache Poisoning, and Prototype Pollution, which were less familiar vulnerability types to me. I waited to attempt the exam until I had a comprehensive understanding of all the vulnerability types covered in the Portswigger Academy, so I would not be caught off guard by any vulnerability types that I was less confident in.
The second reason people often fail is the time limit. You have only four hours to complete the entire exam, which means you must complete each step in 40 minutes or less. It’s easy to get bogged down in a particular vulnerability and lose track of time, so efficiency is key. If you aren’t well prepared and end up stuck in a rabbit hole or spending too long on a particular vulnerability, you will quickly fall behind the exam pace and end up with not enough time to complete the exam even if you had the technical skill required to complete the exam steps. The exam requires you to be very efficient in your testing, both in the identification and exploitation of vulnerabilities.
Fortunately, I passed the exam on my first attempt, with 46 minutes remaining. Although the exam was straightforward for the most part, I did run into difficulty on the final stage of my second application, and I spent over an hour trying to figure out my mistake. However, I had made such good progress earlier in the exam that I had plenty of time to spare.
Tips and Tricks
Here are some tips that helped me prepare for the exam. Hopefully these help to prepare you for the exam or at the very least put you in the right mindset to give yourself the best possible chance to pass too:
- Complete all the labs: This cannot be stressed enough. Aim to complete every Apprentice and Practitioner level lab before attempting the exam. While completing just over 200 labs might seem like a lot of work, it will be absolutely worth it if you are serious about passing this exam. The vulnerabilities presented in the exam are lifted almost directly from the lab content, so if you have already completed the lab that you are presented with in the exam, you are almost guaranteed to pass that section quickly and efficiently. Directly applying the techniques you learned in the labs is crucial to staying within the time limit.
- Take detailed notes: In addition to completing the labs, take notes on each exercise. At a minimum, record the
payload required to solve the lab exercise and any extra steps or things that might catch you out in the exam. Consider creating an index of all the labs you completed in a spreadsheet or note-taking app so that you can easily filter for different vulnerability types as you come across them in the exam. The idea is that once you identify the vulnerability in the exam, you can quickly refer to your notes and pull out the relevant payload or exploit technique required to get the result you need. Although it takes extra preparation time, this will save time during the exam. There are GitHub repositories where people have posted their notes and payloads, which can be helpful, but I recommend creating your own notes and payloads as you complete the labs. This approach helps you retain the information better and improves your own understanding.
- Practice identifying vulnerabilities: Many times, identifying whether a vulnerability exists involves the same
Use Burp Active Scan at all possible steps, especially on requests that are interesting or likely to have a vulnerability. As you progress through the exam, more pages and features will be made available, so feed them straight into Active Scan rather than diving into a specific vulnerability exploitation straight away. Practice targeted scanning with the “discovering vulnerabilities quickly with targeted scanning” lab, which Portswigger made to drive this point home themselves.
Efficiently follow the methodology of identifying vulnerability classes, matching them to the lab, and exploiting them. Then repeat this process until you have completed a web application. The practice exam is good at showing you what the real exam will be like, so complete this a few times just to get a feel for how new pages or features open up, and how this will reset the cycle back to the “identification” stage. Typically, identifying a vulnerability in stages 2 and 3 of the application will be easier than in stage 1, as the attack surface of a new page or feature should be much smaller in comparison and less enumeration will be required.
Given my tips above regarding the speed required and how important the labs are to passing the exam, it’s safe to say that the exam itself is essentially testing your comprehension of the Portswigger Academy content. It should really be viewed from this perspective rather than as a standalone certification that could be completed without previous practice or preparation in the Portswigger Academy. The certification is basically Portswiggers way of monetizing their otherwise free Academy content by providing students with a way to validate their understanding of the concepts and techniques detailed within. With that said, the Portswigger Academy is without a doubt some of the best content available for people wanting to level up their web application testing skills, and does an amazing job at providing in depth written content and hundreds of hands on labs to practice identifying and exploiting various types of vulnerabilities. I learned a huge amount from the Portswigger Academy and Burp Suite Certified exam, and would absolutely recommend it to anyone who wants to improve their web application testing skills.
4 thoughts on “Burp Suite Certified Practitioner (BSCP) Review and Tips”
Another great write up. I worked through the apprentice labs during 2022. They were fun and great to see how various vulnerabilities can be exploited. I have not started the practitioner labs yet but will take on board your point about note taking and payloads as taking the exam is always an option.
Cheers mate! Best of luck if you do decide to pursue it one day
I think you’re the first person I’ve actually seen pass on their first try. Nice lol
Haha thank you! I think most people underestimate the time limit, and approach the exam more like a normal web app pentest rather than building out processes based on the labs, so get caught out on their first attempt. I definitely benefitted from reading many blog posts on the exam to steer me in the direction I took on my first try.