eWPT Exam Review & Tips

By Nirosh Jayaratnam

So, I passed the eWPT exam on my first attempt!

Since I am restricted to share exam information, I will share some insights about this course and exam from my own experience.

The course is well-structured and organized in a manner that a noob in this field can also learn web application security. If you do all the labs, you can get to know most of the common web application security threats and its exploitation techniques. The eWPT exam is not like other Infosec certs exist in the market. In other security certs, you can pass the exam by answering some MCQs by practicing model papers & dumps. But here you need to prove that you have learned everything that is taught in the course. The exam is 7-day penetration test. You need to perform a thorough penetration test against the web applications of the given organization. A necessary but not sufficient condition to pass the exam is getting into the admin page as an admin user. Believe me, you may even face difficulties in finding the login page of admin if you don’t follow the basics.

These are some of the comments I read through forum posts before taking the exam:

So, it’s not about your skills in exploiting vulnerabilities. You have to stick to the basics and follow your rule of thumb as a pentester. The exam is quite challenging and fun at the same time. If you are not into web application security, you will face some difficulties. However, if you followed the course thoroughly and did all your labs, you can crack the exam. The exam is a real-world scenario. You will get to know this once you completed the exam. There is not only one way to gain admin access. There are multiple ways to get into the admin area. I exploited two of them. Altogether, I found 23 vulnerabilities in all the hosts, domains and subdomains. I submitted a ~50-page report explaining all the vulnerabilities, exploits, and remediation at the end of the exam. I’ve been awarded the certification after 10 business days. Thanks to Armando Romeo for reviewing my report.

Here are some tips for the exam:

• Follow the course and do all your labs.
• Spend some time and work on your recon phase.
• Don’t get stuck at one point. Check other alternatives. There are multiple ways to exploit.
• Make sure to document everything and take screenshots, PoC, burp requests & responses, etc. as evidence.
• Pay attention to subdomain enumeration, SQLi, XSS, CSRF, password cracking, unrestricted file uploads.
• Last but not least try to get some rest. Don’t get too stressed out. Go for a swim, watch a movie, or whatever you like. Then come back and continue with the exam.

The course details can be found here: https://www.elearnsecurity.com/certification/ewpt/

Think Different and Try Harder! Good luck with the exams 🙂

About the author

Nirosh Jayaratnam works at 99X Technology as a Security Test Engineer. He is a PenTester and security enthusiast. His core area of expertise is in application security.