SANS GWAPT Exam?

This topic contains 13 replies, has 6 voices, and was last updated by  MaXe 6 years, 9 months ago.

  • Author
    Posts
  • #8200
     matt81 
    Participant

    Quick Question – I’m looking to get much better on web application security and I’m currently doing WebGoat on a home lab.

    I’m responsible for working with developers and scanning websites at my job with external vulnerability scanners.

    My question is that I’m not a “developer” and would taking the GWAPT test be way too over my head? I recently passed the GCIH exam and wanted to take something that would give me a better understanding of XSS, SQL injection, etc.

    Thanks

  • #51868
     Dark_Knight 
    Participant

    Are you talking about taking just the test or doing the course?

  • #51869
     matt81 
    Participant

    I would like to take the exam if possible, but at the very least take the course.

    Are there any other course you would recommend? This one looked very interesting and my job would be paying for it.

  • #51870
     dynamik 
    Participant

    I didn’t take the course, but I posted about my challenge attempt here: https://www.infosiege.net/2012/04/gwapt-challenge-review/

    You might find some of those resources useful in preparing for the course. If you’re really feeling skittish, maybe go through something like this: http://www.amazon.com/PHP-MySQL-Web-Development-Edition/dp/0672329166 in advance. Then, you will have a little insight into development.

    You certainly don’t need to be a developer to understand the material. I’m sure the courseware explains the concepts well, and if there are any items you need more information on, there are tons of free resources online.

  • #51871
     caissyd 
    Participant

    You certainly don’t need to be a developer to understand the material.

    ajohnson is right. All you really need is to be able to read (not write) and understand basic HTML and Javascript. The course will teach you all this and the few other little things you need to know.

    And by all means, if you are performing Vulnerability Assessments of web app, that’s a great course/cert to get you started.

  • #51872
     Dark_Knight 
    Participant

    What they ^^^^^ said  🙂

  • #51873
     matt81 
    Participant

    Thanks everyone for replying – I’m definitely going to take a shot at the course and the exam.

    The links were very good too. Looking forward to it!!

  • #51874
     Dark_Knight 
    Participant

    If you haven’t done so already grab a copy of WAHH2(Web Application Hackers Handbook).

  • #51875
     docrice 
    Participant

    I passed the GWAPT last year and I’m not a developer (far from it, actually, as I work on network infrastructure security for a living).  SANS SEC-542 will teach you to recognize JavaScript / Python / PHP basics and the material doesn’t require you to know how to code.  I think the mindset helps, but if I can get through the course and manage to pass the GWAPT exam, you should be able to as well.

    In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I’d consider a really advanced web app pentesting course.

  • #51876
     matt81 
    Participant

    Thanks, Docrice – That was very encouraging. Looking forward to the course!!

  • #51877
     caissyd 
    Participant

    In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I’d consider a really advanced web app pentesting course.

    +1

    SEC542 is not an easy course, but it focuses on introducing all the concepts you need to become a web app penetration tester. There is simply way too much content on the topic for a 6 day course.

    I haven’t taken this one, but SEC642: Advanced Web App Penetration Testing and Ethical Hacking should help you become a more complete web app pentester after you have completed SEC542.

  • #51878
     MaXe 
    Participant

    SEC542 is a very basic course, which prepares you to do the GWAPT exam, where I was given a test exam a couple of years ago. I had never studied the course, yet I passed without knowing about SOAP and a few other things that you hardly, ever see when conducting a penetration test. (I have tested a few big lists of web services, and yes it was boring, but at least I gained some experience during that, such as it’s rarely any critical bugs you find, it’s often just user account related problems, often rated as low or medium risk. Meaning it’s just “filler space” in a report.)

    Anyway, yes you can do it. I’m a hacker, and yes I knew how to write secure PHP code when I took the exam attempt (I wasn’t taking the actual certification). To me, it was extremely easy, but then again I am already a hacker so of course it’s easy when I specialize in web application security.

    Having previously taken GPEN (and passed, and become a mentor), I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn’t make sense until you understand “their language”), and of course how much you had to think about each question. Because when I did my first GPEN exam attempt (test exam, not actual exam) without any study, I passed as well without any study, but I wanted to increase my score, so I studied a bit. Anyway during that test exam, there were a lot of questions where I was thinking, is this a trick question? This is way too easy to be included in this type of exam that proves your skill, but they weren’t.

    Sometimes the questions can be a bit strangely phrased, so you will have to think for a while about what they actually mean. But it’s nothing compared to some custom CEH courseware I went through for fun, while I was working as tech support and wondered how hard CEH would be. Not because I want the cert though, just want to see how hard / easy it would be to pass, plus it was free at my previous job. (The custom courseware.)

  • #51879
     caissyd 
    Participant

    I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn’t make sense until you understand “their language”), and of course how much you had to think about each question.

    MaXe, have you done CISSP yet (probably I guess)? If you think GPEN had funny questions, you will fall off your chair with the CISSP exam…  ;D

  • #51880
     MaXe 
    Participant

    I think I may have gone through some or all of the courseware from a third party provider as well. Questions were just as horrible as CEH, but I heard the actual exam questions were like, making serious infosec people die ;D

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?