There aren’t many black-box oriented certifications in the market regarding Web applications, where eLS offers two (eWPT and eWPTX) and Offensive Security now has the Web Assessor / OSWA, which costs $2.499,00 on its cheapest version.
Background and Preparation
After passing the eCPPTv2 and OSCP, I still had a $200 voucher from the INE premium plan that I had bought, so I decided to go for eWPT as I do Web pentests almost daily and this should be an easy win.
With that said, I did go through some of the training materials, feeling it wouldn’t be much productive as I already knew all of that and had regular practice on real targets. So I just waited for a holiday and went for it.
Exam Experience
I started my exam at around 9am on a holiday friday, got one high severity issue within the first couple hours, however it didn’t led me anywhere. Found the first entry point on the next day, which was something I had already found and was suspicious of, but ended up leaving it for last.
After the 3rd day, I started having numerous issues with the environment, more on that later. On the 4th day I found the way to reach the main objective and already had some additional vulnerabilities to exploit and report.
And here I had to contact the support because things were simply not working. Followed their instructions (which I prefer not to mention here) and it solved the issue at the end of that same day.
Finally I reached the objective by exploiting vulnerabilities that I had already found, however the environment was still unstable. Started doing the report with all the stuff and finished on that same weekend.
Feedback and Issues Faced
First of all, I had a really good experience with eCPPT, but unfortunately that was not the case with eWPT.
I had several issues with the VPN, such as it frequently disconecting and latency. This was really frustrating while doing recon and trying to exploit things with automation, because I would have to stop the connection, sometimes even reset the whole environment, and then do it all again to be sure that I wouldn’t miss anything. Stopping and resetting the environment would also take a lot of time compared to other platforms and exams, it’s frustrating having to wait for it to work while you’re anxious to finish the exam.
All that instability might have something to do with their environment migrations, but let’s be honest, with all the cloud technologies nowadays it isn’t hard to just setup something like this and make it work. I mean, any CTF platform does the exactly same thing and it works just fine.
Lastly, I had an issue due to having to create a new account because of that environment issue mentioned above. After receiving my results, I wanted to add my last name on the certificate so it would be like the ones I already had. And for that, they ask for 2 full weeks. I mean, is it that hard to just change the content of a single field on a profile?
That’s not by any means the support guys’ fault, I’m sure they try their best to solve all the issues and I had a good experience with the support. For what I understood they only have 1 guy for each area, which is insane. INE really need to invest on their team as they also take a long time to grade the reports and deliver the exam results.
Now, was is worth it or would I recommend you to pay for the eWPT? No!
In my opinion, the applications looked like a CTF thing made for you to lose time on unrealistic scenarios with repetitive stuff. Unless you are short on money and want to get your first certification or something, it’s better for you to just learn this stuff by yourself and use CTFs to challenge your knowledge.
Another suggestion would be to update the training material to match modern applications. Usually you won’t encounter administration areas and such, sometimes they’ll have some sort of privilege levels that you can try to exploit, but you won’t be focusing on just getting admin. Both the exam and materials are from like 2013, so at that time most apps would be running on cPanel and such things, so I think that might be the reason.
Closing Thoughts
When posting reviews, I’ll usually leave references and guides for further reading at the end, but as I didn’t study much for this one and I also do not recommend paying for it, I won’t bother doing that.
If you are still interested and want to go for it, I wish you good luck!
0 Comments