Hi Guys

Is there anyone out there whom has taken both the GPEN and GWAPT certs? If so which was more difficult please?

Cheers

The GWAPT test was harder than GPEN test.  Part of it is that web pen testing is about nuance where many of the things on GPEN are more straight forward.  An app is either vulnerable or it's not, where an XSS or SQL injection can look a number of ways.  We covered Nessus in GPEN, there are 4 or 5 scanners used for GWAPT.  It's the little things that will get you.  I thought the GWAPT class was harder than the GPEN class too.  I think that part of that is due to the fact that Ed Skoudis is a badass when it comes to course devel.  His courses have a great flow to them, and Ed is an excellent educator.  Kevin's class, the web app pen testing class, is very good but the information doesn't have as much of a flow to it.  It is still an excellent class, but the material that has to be covered can't really have as much of a natural flow to it. 

This is more forward than I normally am, but take 560 (GPEN) before you take 542 (GWAPT) I think, the GPEN will get you the business knowledge and the GWAPT covers more skills type things.  Once you're thinking like a pen tester business and skills wise, the GWAPT will go better.  GWAPT was a kick ass class though, and you will learn great stuff.  I haven't seen any course material out there that covers what GWAPT covers as well as it covers it.

@ h1t m0nk3y - Here's an affordable course that I know about related to Web App Testing.

LSO - So You Want To Be A Web App Pentester

Also check out the 3DCPT From Heorot.net - it looks to be focused on web attacks.

http://heorot.net/training/

Cheers

For the guys who say the GWAPT was harder than the GPEN, what is your background? Is it in development/programming or network admin stuff?

Both, I program in c/c++/php/perl/python/ruby/lua predominantly but am not a true developer.  The reason the web stuff is harder course wise is that there is much more subtlety to what you are doing.  Do you need a ' or a " when you are doing a specific injection.  What happens when the script upper cases every command you type for command injection (unix doesn't like that much).  Those sort of things you don't have to deal with as much in the network pen testing classes.

That said, I should say if you have no programming background at all, you may find 542 even more challenging.  There are days in there to teach basic scripting, but you will be slower than your counterparts who have some very basic experience in programing/scripting.  That said, you don't have to have programming knowledge to take the course, you will do ok without it, but you will have to work harder.

It depends on your background.  As a developer I found the GPEN to be harder.  Network folks will probably find the GWAPT harder.