When I did the GWAPT I already had the GPEN along with my other certs. And I still found the course to be quite good. However I did not have the practical experience in the field of web app pentesting. Hence my reason for doing the course.

In fact I am just now building those hours. So my thoughts on the course are against that background. 

Thanks Don for the link to the review.

This course looks like pretty a pretty good one. It's hard to get methodology from a book, and SANS are usually good on that regard.

H1t ... If you're going to choose a course, I suggest definitely investing in some books before forking out money for a course. For the most part, you can teach yourself SQL injection which is the VAST majority of what most classes will cover.

Let's have a realistic view of what's involved with "pentesting" webservers shall we?

Your machine --> Interact --> Webserver

Your machine --> post or pull data --> Webserver

What is your goal here. To either push your data or exfiltrate THEIR data. How do you accomplish this. SOAP, AJAX, etc., what you're learning is how to subvert an application which is something you can teach yourself.

Foundstone has HACME bank, OWASP has their webserver, etc., the commonality is understanding how data interacts between your machine and the server. For this, you could create VMWare images to accomplish the same. So think "Damn Vulnerable Linux"

Now what's involved with truly understanding this (web application) and why may some of these courses fail...

So you set out to do one of these course and they're going to rehash SQL injection of some form - since this is the most popular form of attackers compromising and ex-filtrating data... What are you paying for in these courses? How about you set up your own W2X server running a CMS or other application and tinkering on your own. There are plenty of videos and content freely available which would save you big bucks in the long run. Think out of the box. Many applications are available for demos. When I discovered vulnerabilities in SAP, Oracle, it was done through demos. I downloaded Oracle's Beehive server, tinkered with it, fuzzed it to shreds (beStorm, Klocwork, etc). Something you will almost ALWAYS have to do on your own anyway.

For SQL injection training, etc., I want to say look up Joe McCray's Advanced SQL content (http://www.youtube.com/watch?v=WkHkryIoLD0) you could teach yourself on your own. Its all about you taking a moment to understand what it is your trying to accomplish. In this case, I point to the above. You either want to post or pull. Teach yourself how to do so normally... Subverting it is a matter of creativity.

Now... If I DID have to choose a course, I'd go with IACRB's and the reason for this is because I know who teaches the content and I know what they do for a living. Most have written the books you will read anyway, secondly, most have HANDS on experience during their day jobs at places like Northrop Grumman, ETC.. You don't necessarily need to fork out 4K at IACRB (InfoSec Institute), if they're quoting you that let me know and I will get them to lower your price. Also, you don't necessarily need to be on-site although you will learn a lot more in-person. Then again, IACRB just made this class... I forgot they don't have the online class yet.

Here are some books I would get (preferrably used... save the money)

http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1280005643&sr=1-1
http://www.amazon.com/Deadliest-Application-Attacks-Syngrass-Deadlest/dp/1597495433/ref=sr_1_3?ie=UTF8&s=books&qid=1280005643&sr=1-3
http://www.amazon.com/Professional-Pen-Testing-Applications-Programmer/dp/0471789666/ref=sr_1_6?ie=UTF8&s=books&qid=1280005643&sr=1-6
http://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597494240/ref=sr_1_10?ie=UTF8&s=books&qid=1280005643&sr=1-10
http://www.amazon.com/Seven-Deadliest-Microsoft-Attacks-Syngress/dp/1597495514/ref=sr_1_23?ie=UTF8&s=books&qid=1280005724&sr=1-23

Also, give a thorough look to the OWASP website. They've some good stuff which is freely available like OWASP teting guide http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents  among others http://www.owasp.org/index.php/Category:OWASP_Project

Thanks Jhaddix!

I was going for "So you wanna be a webapp pentester" since his talks at Defcon this year and last year were very interesting.

Once I am done with it, I will look at "Dafydd and Marcus".

Thanks again, very interesting stuff...