Web Application is commonly found part of any organization’s infrastructure and often is exposed publicly and accessible by the world. Due to this, an attacker usually considers attacking the web applications in order to gain an initial foothold into the organization’s network. From my personal experience being a Pentester & Bug Bounty Hunter, you will see Web Applications everywhere and most of the organizations want their exposed infrastructure to be secure & robust. Hence, Web Application Penetration Testing is one of the core skills when it comes to Pentesting & Bug Bounty.

I recently attempted for eLearnSecurity’s eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) certification which is a real-life scenario-based exam based on practical black box penetration test.

In this article, I am going to cover my detailed (unbiased) feedback for the exam and some points to keep in mind. Please note that this review is not endorsed/sponsored by anyone and this is unbiased & honest feedback.

Please note: I haven’t taken the courseware as I have working experience in Web Application Penetration Testing. However, for beginners who are planning to attempt this certification, I would strongly recommend going through the courseware and practice labs.

Exam Cost: $400 (Inclusive of Tax) — This does not include courseware and practice labs, only the exam.

Voucher Validity: 6 Months from Purchase

Pre-Scheduling: Not Required. Start when you are ready

Exam Duration: 7 Days for Exam + 7 Days for Reporting. (The Exam Environment won’t be accessible after 7 days from the exam start date.)

Support line during Exam: Available & Really Fast.

1. You will need to start your exam by using the eLearnSecurity portal.
2. Before starting the exam make sure that your testing environment is set up properly.
3. Once you will start the exam, you will have all the required scope of testing and you can connect to the VPN provided and start hacking.
4. After 7 days, you will not be able to access the exam environment.
5. You will have 7 days after the exam time for submitting a detailed vulnerability report. You can submit a report during the 7 days of the exam as well. You will get an option to upload the report.

1. This exam is a real-life scenario-based exam where you will see some applications that you will need to Pentest.
2. There are certain minimum requirements are defined to achieve the exam certification which you will need to achieve while making sure that you discover other severe issues as well.
3. The only minus point I felt here is the exam environment was not as stable as I found during my eCPPTv2 exam. Sometimes, you will need to do multiple resets in order to achieve what you are trying to do. This may leave you in a little confusion & frustration but if you are stuck, just reset the environment.
4. Only 4 Resets in a 24 Hour window are allowed.
5. Since this is a real-life scenario-based exam, make sure to find and exploit as many vulnerabilities as you can.
6. Remember this exam is a simulated penetration test.
7. This is a really challenging exam and while giving the exam you will get to learn a lot.
8. You can use any tools including but not limited to Burp Suite, Automated Scanners, Nmap, SQLMap, etc.
9. This is again an open book exam as this simulates a real-life pentest scenario. You are free to use the internet while giving the exam.

Day — 1: As soon as I started my exam, I observed that this is going to be an interesting ride.

I did all the recon and enumeration activities to get the best possible information and at the end of the day, I had some security issues but I was not able to achieve any single exam objective.

Day — 2: Started Day — 2 with some hope to get find interesting issues in order to complete the exam objectives. I faced some instability in the Exam Environment and due to which it took me hours to figure out that I just need to reset my machine a couple of times to complete the exam objective and by the end of the day, I was able to successfully finish 50% of the exam objectives.

Day — 3: For the complete Day — 3, I was not able to even move a single inch and the challenge seem really tough. I read lots of resources from here and there in order to understand what might be wrong.

Day — 4: I was successfully able to finish all the exam objectives and started to take all the Proof of Concepts. Started writing an initial draft for a pentest report.

Day — 5: Finished my pentest report and it was long enough to consume my whole weekend.

Day — 6: Reviewed the report and submitted it on the eLearn Exam Portal.

1. Digging deep is the key to achieve this certification.
2. Do not stress, you have more than sufficient time. Take breaks and enjoy while you hack the target.
3. Focus on each vulnerability class including OWASP TOP 10 as you will see almost every vulnerability from OWASP Top-10.
4. Make sure that you read and practice their Study Material, especially if you are a beginner in the Web Application. As there are multiple vulnerabilities that require you to write some code in order to exploit it successfully.
5. Bypasses, Encodings & Security Blogs will be your friend throughout the exam. You will see that even minute changes will make your payloads work 😉
6. Practice as many issues as you can from eLearn’s Courseware/Course Outline (in case you don’t have a subscription to INE) as you will see almost everything and this is really an extreme level exam.

The exam challenges are really good & simulate real-life pentest experience to a greater extent. It covers almost every possible & interesting security vulnerability including modern vulnerabilities and will require you to push yourself beyond the limits. The exam itself is a great learning experience. However, at the same time, I faced stability issues with the Exam Environment. I noticed that you will need multiple resets in order to sometimes gain a successful execution of the exploits.

Overall the exam is really good and I found it best in class for the Black Box Pentest Approach. I will highly recommend this certification for anyone who wants to challenge their skills in Black Box Pentest.

Great Job eLearnSecurity Team on the exam part.