Last month, a number of us EH-Netters attended SANS 2009. The is the first of a few reviews of SANS courses. Thanks for the time and effort, Ryan.

Permanent link: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking


Hope this helps,
Don

I have been waiting patiently for this review. Thank you very much for such a detailed review. It is very  much appreciated Ryan.

nice writeup Ryan!

This is my take on it, not part of the review because this is very subjective and not really an objective look at the course, but, that is an excellent question, and I'm glad you asked. Most of the things that folks want to learn can be found in a book or online, whether it is calculus or hacking.  Knowing that you can use burp proxy to do web pen testing, and knowing that it has x y and z options does not tell you how, when, or where to apply it.

Part of the value of a course is the ability to ask questions and ask for direction.  Sure.. there are other venues where you can ask questions, but if you have the option of having hands on explanation on how to do something from a jedi master, then that is something valuable.  With other venues, your mileage may vary, and they will rarely show you what you are doing wrong in an interactive way where you can have immediate feedback and you can make sure you have a full understanding when you walk away.

I would say that the value of SANS courses lies partially in the tools that you learn, partially in the knowledge of how to implement them, and partially in the experiences that the teachers shares around real world usage and scenarios . What sets SANS aside from other teaching institutions is the real word experience and techniques for application of the tools.   The SANS instructors are not just instructors, they are practitioners as well.  Knowing not just what Paros proxy does, but knowing when to apply it vs Burp or WebScarab has a lot of value.  That sort of information you probably won't get from a webpage, you might get from a forum, but in most cases talking to Kevin Johnson will get you the right answer.

If I had unlimited time, there are lots of things that I'd like to learn. I could read the books, try to figure out the exercises, spend some time getting frustrated because something didn't work, and I'd eventually get it.  Why I like SANS, and why I keep going back, is because when I leave a SANS course I feel like I've had a MAC truck full of information driven into my head, with exercises to drive the information home, and when I go back to my office, I've got stuff that I can start doing.  It may not be at the same level as the instructor, but after each SANS class I've taken I've been able to build upon that knowledge immediately. 

On a personal note, I would have to say that SANS is a huge jump start.  When I took 504, I had some basic stuff that I was doing, and after 504, I had really kicked it up a notch.  I was using nmap more effectively, my metasploit fu was vastly improved, I started writing vbs scripts using wmic as soon as I got back to do incident response and all of that goodness.

After I took 560, I started writing my own metasploit additions, started playing with writing my own nmap NSE scripts, and had another huge jump from where I was after 504.  This may or not be typical, I don't know, but if you are reading man pages for your docs, I wouldn't say it's out of the question.  560 was another enlightenment for me, some of the things I'd been struggling with on my own were a lot more clear, and during the capture the flag on the last day.. walking away I just kinda got it.

With 542, I had played with BeEF some, I've used Paros and such, but much of the information was really driven home.After 542, I felt like I "got it" a lot better.  Many of the things that I'd been missing tool wise were now there, and a lot of aspects that I didn't really understand completely why they were bad and how to exploit them I had gotten a hands on demo with and had been able to talk to the instructor in depth about.  I'd never spent much time busting apart Flash applications and messing with them, but I sure as heck do now.  I'd never really spent much time comparing the minor differences between web pages when I gave them valid and invalid information to see what happens, but now I do, and I can do it more efficiently and quickly. 

Having this course through SANS is great, I hope that they do a higher level course with more ninja skills in it.  I definitely picked up some great stuff in the class, but there is a big focus on tools.  Looking through the course though, you go from evaluating web servers, to evaluating web code, to evaluating implementation, to evaluating applets, to evaluating logic.  I don't think that it's reasonable to be an expert in all of those after once class, but if you aren't already a full time web pen tester and doing all of these things, this will be a huge shove in the right direction for you.

If you are tight on cash, there are things that you can do to bring down the price of classes.  Things like the Mentor program, or offering to TA or host a class locally all can bring down the price of the course. 

Sorry of this is a little disjointed, I probably shouldn't be writing more than a sentence or two response after 1AM

We'll just say that Don is a great editor and leave it at that

I just took this class last week at SANSFire in Baltimore. I really enjoyed it. Fantastic content.

Has anyone here taken SANS 542?

I did the class OnDemand and am on the final CTF challenge.

Normally this is done in one day with a team but I'm working alone.
If anyone who took the class and give me some direction I'd appreciate it, please contact me.


Also, Has anyone taken the GWAPT test?  if so, how hard was it, how closely did it mirror the course contents, etc..

Thanks