The following are my thoughts on the fairly recently released Burp Suite Certified Practitioner exam and some tips if you plan on taking it. The typical price for this is $99 dollars, however, I purchased several attempts around Black Friday when they had it for $9 dollars. The exam consists of two applications that have three vulnerabilities each that need identified and exploited. These vulnerabilities need to be exploited in order as each of the three stages gives you access to more of the application.
Stage 1 - Get access to a low privileged user account.
Stage 2 - Escalate privileges to the administrator account.
Stage 3 - Find a way to read the file at /home/carlos/secret
It took me three attempts to pass the exam and if you don’t make some of the mistakes I did you can likely pass in less. The exam isn’t too difficult if you are well prepared. I had only gone through several of the labs the first time I took the exam. This was a mistake as you should be very familiar with the exploit server and how to use it to deliver payloads to the simulated users. At the time, the exam was only 3 hours long and I was trying to get familiar with the platform while taking the exam and ran out of time. Since then, PortSwigger has raised the time limit to 4 hours which helps. The second time I completed 5/6 of the exam and got stuck in a rabbit hole thinking there should be a different vulnerability than it actually was. The third exam I ran into the same exact vulnerability that stumped me the 2nd time but I was able to take a step back and figure it out.
Overall, it was a fun experience and I learned some things from the labs and the exam. Here’s the proof I passed. Compared with some of the exams from Offensive Security, the biggest adjustment was getting used to the much shorter time limit. It forced me to adapt some of my methodology to be faster and more focused.
From the questionnaire after the exam, it sounds like this one is more targeted toward the practitioner level and another expert level certificate may be coming at some point. I look forward to any other certifications that PortSwigger creates. I’m interested though to see how that exam would work if they stick to the same time limit.
Also, if you haven’t checked out the PortSwigger labs yet, I highly recommend them even if you don’t plan on taking the exam. It is some of the most thorough and organized content out there for web security. They have their quirks, but for the price of free it can’t be beat.
Tip 1
Identify the new functionality. Each of the applications across the lab and exam use the same exact base blogging site. Because of this you can determine any additional functionality or differences at each new step. If you get access to a user account you should then look at what additional functionality is exposed that wasn’t accessible unauthenticated.
Tip 2
Use selective scanning and start it as soon as possible. Automated scanning takes its time. As you’re going through the application get it started right away. In addition, focus on any inputs. PortSwigger has a guide on scanning specific inputs here: https://portswigger.net/web-security/reference/augmenting-your-manual-testing-with-burp-scanner. In addition, create some scanning configurations ahead of time for select vulnerabilities you want to look for. That will speed up the scanning as well.
Tip 3
Search the PortSwigger documentation and labs. You will likely want proof of concept code to exploit vulnerabilities. However, for a lot of this you can just as easily copy it from the solutions of related labs and modify it for your specific use case. There are few, if any, curve balls of anything not covered in the labs. Because of that they are great reference to look at during the exam.
Tip 4
Don’t get tunnel vision. The reason I failed one of my attempts was that I got stuck thinking the new functionality had to be one type of vulnerability when it was something completely different. If you don’t make any progress, take a step back, and then see what other type of vulnerability it might be. There also may be hints in the wording of things as to what the vulnerability is or what may be happening behind the scenes.
Tip 5
Focus on the vulnerabilities relevant to the stage you are on. Just going through the list of lab categories, not using any knowledge from what I saw on the exam itself, we can categorize them into what you should be looking for when. Don’t go looking for command injection at the very start.
| Category | Stage 1 | Stage 2 | Stage 3 |
|---|---|---|---|
| SQL Injection | ✔️ | ✔️ | |
| Cross-site scripting | ✔️ | ✔️ | |
| Cross-site request forgery (CSRF) | ✔️ | ✔️ | |
| Clickjacking | ✔️ | ✔️ | |
| DOM-based vulnerabilities | ✔️ | ✔️ | |
| Cross-origin resource sharing (CORS) | ✔️ | ✔️ | |
| XML external entity (XXE) injection | ✔️ | ||
| Server-side request forgery (SSRF) | ✔️ | ||
| HTTP request smuggling | ✔️ | ✔️ | |
| OS command injection | ✔️ | ||
| Server-side template injection | ✔️ | ||
| Directory traversal | ✔️ | ||
| Access control vulnerabilities | ✔️ | ✔️ | |
| Authentication | ✔️ | ✔️ | |
| Web cache poisoning | ✔️ | ✔️ | |
| Insecure deserialization | ✔️ | ||
| HTTP Host header attacks | ✔️ | ✔️ | |
| OAuth authentication | ✔️ | ✔️ | |
| File upload vulnerabilities | ✔️ | ||
| JWT | ✔️ | ✔️ |
Tip 6
They tell you in the instructions that the low privilege user is possibly in this list and the password in this list. There is probably a reason they mention it and it doesn’t take long looking for user enumeration and to perform password spraying. In general, most wording throughout the instructions and the exam pages are there for a reason and may be hints for what you should do.
Tip 7
Take the practice exam. It’s a good way to get familiar with the exam format.
Tip 8
Register using the same email for the proctoring site. The whole proctoring process is odd and I think it has thrown a couple people off. It is just used for photo and ID verification to enter a password to start the exam. For me, the proctoring site didn’t recognize the exam unless it was under the same exact email. This is just from personal experience though. It does make me question how the integrity of the certificate will hold up as cheating the proctoring seems trivial. However, that’s a much bigger problem that not even full exam length proctoring completely solves.
Tip 9
Check the website occasionally after passing the exam. I think clearer instruction after the exam would be helpful. You have to wait until the end of the full 4 hours to know the next step of waiting 24-48 hours for the results and proctoring to be verified. I was expecting an email when that happened and waited several days for it. Turns out you have to login to the PortSwigger site to get the final results.