Hello guys,
As I already mentioned I was studying for SANS GWAPT. Today the nightmare ended.

 I did the live course with Kevin Johnson at the end of August, in Ottawa. I can tell you that Kevin is a good teacher, he has a lot of experience and he knows how to animate a class. The class was mixed, some were advanced in the field, others (like me) had some basic knowledge, and there were some who barely stayed awake. There is a lot of information in the course. Some days are easier, but day 4 – client side discovery- was really difficult to digest.

After the course I started to read the books, listen to the mp3’s, and I redid all the labs. After I read once all the books I did the OnDemand questions. Surprise   Failed some chapters.
The advantage with the questions from OnDemand is that you can do them anytime you want, and you can repeat them. I did them until I pass all the questionnaires. I didn't used the books when I answered. Some of the questions were easy, for some of them you could even get the answer from the books. There were some good questions that made you think a little bit.
Also, there was a repetition of some questions.

Two weeks ago I did the first practice test. I scored 83%, and I finished the exam in one hour. It wasn’t very difficult. A little bit different than the OnDemand, but OK. You could answer a lot of question just by looking in the book. Yesterday I did the second practice exam. I scored 90% in about 50 minutes. Almost 15% of the questions were similar with the ones in the first exam.
I thought that I was smart   and well prepared.

This morning I sat for the real exam. WHAT A DIFFERENCE  

There are questions where you can find the answer in the books, but for most of them the answer is at the bottom of the page, where the details are.

The biggest difference was in the questions that presented you some code (html, php, javascript..) and you had to answer to some questions:
- You intercepted this file through the proxy. Which is your next step?
- What file should you investigate giving the code??
- What attack can you perform giving the php code?
- …

They were very interesting and difficult (at least for me). I say difficult because the questions on OnDemand and the practice exams made me believe that this is another theoretical exam, with some practical knowledge, but it was very “practical”.

In order to pass the exam, unless you are really experienced, you need:
- The books
- To practice all the labs, to know the tools, and go the extra mile with the labs
- To study hard

I think that for someone with a web programmer background will be easier to understand the code in the exam, but there are other questions where you should have at least a basic knowledge about the whole IT environment.

For someone who wants to pass the exam I recommend to buy the course, and even buy the OnDemand. Do the questions on the OnDemand without the manuals and you’ll be surprised  

For the beginners in the web penetration testing I would recommend to start with something else (eLS maybe), because I don’t think they’ll have enough time to do it (unless they are geniuses or unemployed).

So, for the final exam I had 85% in 1h50 minutes, but I felt a carrot in my back during the exam  

I am happy, and this was an interesting experience (this is my first SANS).

Thanks for the review, and congrats on passing!  From the way it started I was worried you failed.

Hey Alucian!

Congrats! Be sure to update your signature with your new cert. I've heard similar stories regarding practice exams and then finally sitting for the real examination. Do you think someone who went through the Web Application Hackers Handbook would be prepped enough for the class?

Congrats, alucian!

I'm assuming when you took the exam it was the new 75 question format instead of the older 150 question format.

If that's the case, the newer format includes questions that are less memorization type question and more applying knowledge questions. They're often described as being "harder," but I would say its not so much that they're harder. They just better measure your total grasp of the subject. Isn't this what you want from a certification anyway?

I've yet to actually take one of the new formatted exams, but I imagine the reason that the practice exams weren't exactly respresentative of the actual exam is that the question banks for practice tests generally come from retired/old exam questions. (I don't think that's 100% of the case but some are.) Therefore, with the new format, there just hasn't been enough time for the practice test question banks to get many of the newer style questions.

Thanks, I guess I'll do OnDemand then if I ever get the money.

Correct that the cognitive level of a question doesn't map to the difficulty in a linear fashion.

Incorrect that the practice questions are old and used to be certification questions.

Merry Christmas to you all