Security Researcher and Open Source Developer. Passionate about Computing, Nature and cooking.
eWPT - Certified Web Application Penetration Tester
Author: Edoardo Ottavianelli
I bought a voucher for the eWPT certification by
(INE) on 24th March 2023. Since I had some things to do at that time I decided to start the exam on June 14th. All in all, I must say that it is a good exam that covers many aspects of web security, even if it does not push the challenge to the limit, all security problems are not difficult to exploit once identified.
eWPT in brief
eLearnSecurity Web Application Penetration Tester (eWPT)
certification assesses a cyber security professional's web application penetration testing skills. The exam is a skills-based test that requires candidates to perform a real-world web app pentesting simulation. By obtaining the eWPT, your skills in the following areas will be assessed and certified: Penetration testing processes and methodologies, Web application analysis and inspection, OSINT and information gathering techniques, Vulnerability assessment of web applications, OWASP TOP 10 2013 / OWASP Testing guide, Manual exploitation of XSS, SQLi, web services, HTML5, LFI/RFI, Exploit development for web environments and Advanced Reporting skills and remediation.
The connection to the target network is very easy:
Download the OVPN file with your credentials
Execute "sudo openvpn file.ovpn"
Enter the credentials (if needed)
Once you see "Initialization Sequence Completed" you're effectively connected
Ping a machine inside the internal network to test your connection
I can't say anything about the exam, but I can recommend very well done report templates:
(I've used this one)
Be aware that you will be evaluated both on the technical content and on the report, so submitting a well organized report is a must. Read carefully the letter of engagement in which you'll find what you need to include in the report.
eWPT tips and tricks
finish the penetration test and then start writing the template
While testing the target take notes on a document that you'll use during the report writing phase
Don't understimate some features, try to test all the injection / likely to be vulnerable points you see
Burp Suite (or any other forward proxy) is your friend
Some useful links:
In the end I have to say that it's a good exam, I would recommend it to anyone who has a good knowledge of web and web security and wants to have a certification in this area. If instead you want to try to get the eJPT certification, see the
notes I took while preparing for eJPT certification
If you have any doubt or just want to ask me something, ping me