SANS GWAPT Exam?

[matt81]

Quick Question - I'm looking to get much better on web application security and I'm currently doing WebGoat on a home lab.

I'm responsible for working with developers and scanning websites at my job with external vulnerability scanners.

My question is that I'm not a "developer" and would taking the GWAPT test be way too over my head? I recently passed the GCIH exam and wanted to take something that would give me a better understanding of XSS, SQL injection, etc.

Thanks

[Dark_Knight]

Are you talking about taking just the test or doing the course?

[matt81]

I would like to take the exam if possible, but at the very least take the course.

Are there any other course you would recommend? This one looked very interesting and my job would be paying for it.

[ajohnson]

I didn't take the course, but I posted about my challenge attempt here: https://www.infosiege.net/2012/04/gwapt-challenge-review/

You might find some of those resources useful in preparing for the course. If you're really feeling skittish, maybe go through something like this: http://www.amazon.com/PHP-MySQL-Web-Development-Edition/dp/0672329166 in advance. Then, you will have a little insight into development.

You certainly don't need to be a developer to understand the material. I'm sure the courseware explains the concepts well, and if there are any items you need more information on, there are tons of free resources online.

[H1t M0nk3y]

You certainly don't need to be a developer to understand the material.

ajohnson is right. All you really need is to be able to read (not write) and understand basic HTML and Javascript. The course will teach you all this and the few other little things you need to know.

And by all means, if you are performing Vulnerability Assessments of web app, that's a great course/cert to get you started.

[Dark_Knight]

What they ^^^^^ said 

[matt81]

Thanks everyone for replying - I'm definitely going to take a shot at the course and the exam.

The links were very good too. Looking forward to it!!

[Dark_Knight]

If you haven't done so already grab a copy of WAHH2(Web Application Hackers Handbook).

[docrice]

I passed the GWAPT last year and I'm not a developer (far from it, actually, as I work on network infrastructure security for a living).  SANS SEC-542 will teach you to recognize JavaScript / Python / PHP basics and the material doesn't require you to know how to code.  I think the mindset helps, but if I can get through the course and manage to pass the GWAPT exam, you should be able to as well.

In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I'd consider a really advanced web app pentesting course.

[matt81]

Thanks, Docrice - That was very encouraging. Looking forward to the course!!

[H1t M0nk3y]

In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I'd consider a really advanced web app pentesting course.

+1

SEC542 is not an easy course, but it focuses on introducing all the concepts you need to become a web app penetration tester. There is simply way too much content on the topic for a 6 day course.

I haven't taken this one, but SEC642: Advanced Web App Penetration Testing and Ethical Hacking should help you become a more complete web app pentester after you have completed SEC542.

[MaXe]

SEC542 is a very basic course, which prepares you to do the GWAPT exam, where I was given a test exam a couple of years ago. I had never studied the course, yet I passed without knowing about SOAP and a few other things that you hardly, ever see when conducting a penetration test. (I have tested a few big lists of web services, and yes it was boring, but at least I gained some experience during that, such as it's rarely any critical bugs you find, it's often just user account related problems, often rated as low or medium risk. Meaning it's just "filler space" in a report.)

Anyway, yes you can do it. I'm a hacker, and yes I knew how to write secure PHP code when I took the exam attempt (I wasn't taking the actual certification). To me, it was extremely easy, but then again I am already a hacker so of course it's easy when I specialize in web application security.

Having previously taken GPEN (and passed, and become a mentor), I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn't make sense until you understand "their language"), and of course how much you had to think about each question. Because when I did my first GPEN exam attempt (test exam, not actual exam) without any study, I passed as well without any study, but I wanted to increase my score, so I studied a bit. Anyway during that test exam, there were a lot of questions where I was thinking, is this a trick question? This is way too easy to be included in this type of exam that proves your skill, but they weren't.

Sometimes the questions can be a bit strangely phrased, so you will have to think for a while about what they actually mean. But it's nothing compared to some custom CEH courseware I went through for fun, while I was working as tech support and wondered how hard CEH would be. Not because I want the cert though, just want to see how hard / easy it would be to pass, plus it was free at my previous job. (The custom courseware.)

[H1t M0nk3y]

I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn't make sense until you understand "their language"), and of course how much you had to think about each question.

MaXe, have you done CISSP yet (probably I guess)? If you think GPEN had funny questions, you will fall off your chair with the CISSP exam... 

[MaXe]

I think I may have gone through some or all of the courseware from a third party provider as well. Questions were just as horrible as CEH, but I heard the actual exam questions were like, making serious infosec people die