Want to get into Web application Pentesting in a black-box style?

5 min readMar 28, 2021

The WAPTv3/eWPT experience

What is the WAPTv3/eWPT? and what does it stand for?

The WAPTv3 means Web Application Penetration Testing under version 3 and the eWPT stands for eLearnSecurity Web Application Penetration Testing.

The eWPT exam is a 100% practical certification on Web Application Penetration Testing. Wherein you’ll have to upload a commercial grade quality report in order to pass the exam.

Course

This course is meant to build the foundation for Web Application Penetration Testing the materials covers the following topics:

Penetration Testing Process
Introduction
Information Gathering
Cross-Site Scripting
SQL Injections
Authentication and Authorization
Session Security
Flash
HTML5
File and Resources Attacks
Other Attacks
Web Services
XPath
Penetration Testing Content Management Systems
Penetration Testing NoSQL Databases

All of which offers:

Reading Materials
Videos
Lab Access

Everything is well organized and structured properly

The best part of the WAPTv3 course is it teaches you everything you need to know in order to be proficient in Penetration Testing Web Applications. I consider Web app pentesting a specialized field. if you want a more rounded go for PTP/OSCP

A great way to go thru the course would be in this specific order:

Read the materials for that topic
Watch all the videos for that topic
Do the labs for that for that specified topic
Attempt to do the challenges (HTML 5 Challenge is buggy I hope they change it to something else )

About the exam

In the eWPT exam you are given a goal which is not enough but it is required to pass the exam. You’ll be given 7 days to perform a through Penetration Test to the web application and another 7 days to write your report. This exam will test almost everything that you’ve learned in the course. While not all of them would be included almost everything is.

About my exam

I have covered all the materials before I hit that Begin Certification Process icon. I bought the WAPTv3 course from eLearnSecurity last August 29, 2020 two days right after I passed the eJPT exam. Started reading the Materials somewhere around September 15, 2020 finished reading it around September 30, 2020. I wanted to take the exam as soon as I can however I wasn’t able to do all the challenges yet so I wasn’t comfortable taking the exam. With my current job I wasn’t able to fully commit to the finishing the course so I decided to hit pause on the studies and continued it on January 15, 2021.
On February 5,2021 I felt that I was ready to take the exam. As soon as I was connected to the network the first thing I did was browse the website.

Day 1

Unfortunately I was constantly getting disconnected so I emailed eLearnSecurity support to help me fix the issue. They extended my access by two days which was absolutely amazing (on Day 3 I figured out that I didn’t need it, its still nice to know that they are quick when it comes to issues regarding the exam).

Day 2

Fingerprinting, mapping the entire web application and analyzing it. This is probably the hardest part of all web applications what is it executing, why is it executing, and how is it executing stuff.

Day 3

This was the day that I found something of use and was able to achieve the goal in around 8 hours I was done with the exam however, I wanted to test things further so I didn’t submit the report just yet.

Day 4 — Day 7 (Documentation and Report writing)

These were the days I was testing for all sorts of things while documenting them. At one point I also wanted to test the capabilities of the ZAP Scanner and BurpSuite Pro Active scan (with all the extensions injecting on all the headers) so I went ahead and scanned it. Overall I believe I did a great job at reporting and finding everything I can.

My Report

I ended up with a 72 page report it was originally 77 but I managed to tidy things up and reduce it to 72 pages. Made sure that all methods and all references for remediation was there. Submitted the exam and the wait for the results begin. To my surprise they finished reviewing my report in around 2 days after I submitted my report which was amazing.

Tips for people wanting to take this exam

As with every Penetration Testing engagement. Make sure that your note taking is on point.
Practice! I can’t stress this enough download DVWA, XVWA, WebSecurity Dojo, Multilladae, Pentesterlab also offers a free download of their VM. Do the related labs in PortSwigger. Practice information Gathering, how to map a web application and analyzing the web application on a live bug bounty program.
Make sure that you understand the materials.
Do all the labs and the challenges.
Have a solid understanding of Cookies, Same-Origin Policy.
Don’t panic, Web Application Penetration Testing is known to be hard by itself. Don’t compare it to the difficulty of Penetration testing Networks. It’s like comparing peanuts to watermelons.
Download a copy of Web Security Testing Guide. In case you need a reference in what to do for a certain vulnerability.
Join the Unofficial INE/eLearnSecurity on this link discord. You may ask whichever questions you may have regarding the courses/exam.

Additional References

The course materials is enough to pass the exam but taking a step further is always recommended

Conclusion

I would recommend this course for anybody wanting to get into Web Application Penetration Testing even though some of the materials are outdated like the flash modules. Don’t worry that won’t get in the way in Web app penetration testing a lot of this stuff is still relevant until today. One thing that I didn’t like regarding this course was adding another DNS to my resolv.conf file. That’s the only thing I didn’t like for this course. I also recommend going thru this and supplementing it with Pentesterlab Pro.

Want to get into Web application Pentesting in a black-box style?

Written by Edwin Karlos Luciano Jr