Edoardo Ottavianelli

eWPT - Certified Web Application Penetration Tester

Author: Edoardo Ottavianelli
25/06/2023


I bought a voucher for the eWPT certification by eLearnSecurity (INE) on 24th March 2023. Since I had some things to do at that time I decided to start the exam on June 14th. All in all, I must say that it is a good exam that covers many aspects of web security, even if it does not push the challenge to the limit, all security problems are not difficult to exploit once identified.

eWPT in brief

The eLearnSecurity Web Application Penetration Tester (eWPT) certification assesses a cyber security professional's web application penetration testing skills. The exam is a skills-based test that requires candidates to perform a real-world web app pentesting simulation. By obtaining the eWPT, your skills in the following areas will be assessed and certified: Penetration testing processes and methodologies, Web application analysis and inspection, OSINT and information gathering techniques, Vulnerability assessment of web applications, OWASP TOP 10 2013 / OWASP Testing guide, Manual exploitation of XSS, SQLi, web services, HTML5, LFI/RFI, Exploit development for web environments and Advanced Reporting skills and remediation.

eWPT exam

The connection to the target network is very easy:

1. Download the OVPN file with your credentials
2. Execute "sudo openvpn file.ovpn"
3. Enter the credentials (if needed)
4. Once you see "Initialization Sequence Completed" you're effectively connected
5. Type CTRL+Z
6. Execute "bg"
7. Ping a machine inside the internal network to test your connection

I can't say anything about the exam, but I can recommend very well done report templates:

• https://github.com/anontuttuvenus/eWPT-Report-Template (I've used this one)
• https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report

Be aware that you will be evaluated both on the technical content and on the report, so submitting a well organized report is a must. Read carefully the letter of engagement in which you'll find what you need to include in the report.

eWPT tips and tricks

1. Don't finish the penetration test and then start writing the template
2. While testing the target take notes on a document that you'll use during the report writing phase
3. Take a lot of notes
4. Take a lot of screenshots
5. Don't understimate some features, try to test all the injection / likely to be vulnerable points you see
6. Burp Suite (or any other forward proxy) is your friend

Some useful links:

• https://members.elearnsecurity.com/exams/ewpt
• https://new.reddit.com/r/eLearnSecurity/
• https://github.com/CyberSecurityUP/eWPT-Preparation

In the end I have to say that it's a good exam, I would recommend it to anyone who has a good knowledge of web and web security and wants to have a certification in this area. If instead you want to try to get the eJPT certification, see the notes I took while preparing for eJPT certification

If you have any doubt or just want to ask me something, ping me here.


edoardottt👹