SANS GWAPT Exam?

Viewing 13 reply threads
  • Author
    Posts
    • #8200
      matt81
      Participant

      Quick Question – I’m looking to get much better on web application security and I’m currently doing WebGoat on a home lab.

      I’m responsible for working with developers and scanning websites at my job with external vulnerability scanners.

      My question is that I’m not a “developer” and would taking the GWAPT test be way too over my head? I recently passed the GCIH exam and wanted to take something that would give me a better understanding of XSS, SQL injection, etc.

      Thanks

    • #51868
      Dark_Knight
      Participant

      Are you talking about taking just the test or doing the course?

    • #51869
      matt81
      Participant

      I would like to take the exam if possible, but at the very least take the course.

      Are there any other course you would recommend? This one looked very interesting and my job would be paying for it.

    • #51870
      dynamik
      Participant

      I didn’t take the course, but I posted about my challenge attempt here: https://www.infosiege.net/2012/04/gwapt-challenge-review/

      You might find some of those resources useful in preparing for the course. If you’re really feeling skittish, maybe go through something like this: http://www.amazon.com/PHP-MySQL-Web-Development-Edition/dp/0672329166 in advance. Then, you will have a little insight into development.

      You certainly don’t need to be a developer to understand the material. I’m sure the courseware explains the concepts well, and if there are any items you need more information on, there are tons of free resources online.

    • #51871
      caissyd
      Participant

      You certainly don’t need to be a developer to understand the material.

      ajohnson is right. All you really need is to be able to read (not write) and understand basic HTML and Javascript. The course will teach you all this and the few other little things you need to know.

      And by all means, if you are performing Vulnerability Assessments of web app, that’s a great course/cert to get you started.

    • #51872
      Dark_Knight
      Participant

      What they ^^^^^ said  🙂

    • #51873
      matt81
      Participant

      Thanks everyone for replying – I’m definitely going to take a shot at the course and the exam.

      The links were very good too. Looking forward to it!!

    • #51874
      Dark_Knight
      Participant

      If you haven’t done so already grab a copy of WAHH2(Web Application Hackers Handbook).

    • #51875
      docrice
      Participant

      I passed the GWAPT last year and I’m not a developer (far from it, actually, as I work on network infrastructure security for a living).  SANS SEC-542 will teach you to recognize JavaScript / Python / PHP basics and the material doesn’t require you to know how to code.  I think the mindset helps, but if I can get through the course and manage to pass the GWAPT exam, you should be able to as well.

      In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I’d consider a really advanced web app pentesting course.

    • #51876
      matt81
      Participant

      Thanks, Docrice – That was very encouraging. Looking forward to the course!!

    • #51877
      caissyd
      Participant

      In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I’d consider a really advanced web app pentesting course.

      +1

      SEC542 is not an easy course, but it focuses on introducing all the concepts you need to become a web app penetration tester. There is simply way too much content on the topic for a 6 day course.

      I haven’t taken this one, but SEC642: Advanced Web App Penetration Testing and Ethical Hacking should help you become a more complete web app pentester after you have completed SEC542.

    • #51878
      MaXe
      Participant

      SEC542 is a very basic course, which prepares you to do the GWAPT exam, where I was given a test exam a couple of years ago. I had never studied the course, yet I passed without knowing about SOAP and a few other things that you hardly, ever see when conducting a penetration test. (I have tested a few big lists of web services, and yes it was boring, but at least I gained some experience during that, such as it’s rarely any critical bugs you find, it’s often just user account related problems, often rated as low or medium risk. Meaning it’s just “filler space” in a report.)

      Anyway, yes you can do it. I’m a hacker, and yes I knew how to write secure PHP code when I took the exam attempt (I wasn’t taking the actual certification). To me, it was extremely easy, but then again I am already a hacker so of course it’s easy when I specialize in web application security.

      Having previously taken GPEN (and passed, and become a mentor), I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn’t make sense until you understand “their language”), and of course how much you had to think about each question. Because when I did my first GPEN exam attempt (test exam, not actual exam) without any study, I passed as well without any study, but I wanted to increase my score, so I studied a bit. Anyway during that test exam, there were a lot of questions where I was thinking, is this a trick question? This is way too easy to be included in this type of exam that proves your skill, but they weren’t.

      Sometimes the questions can be a bit strangely phrased, so you will have to think for a while about what they actually mean. But it’s nothing compared to some custom CEH courseware I went through for fun, while I was working as tech support and wondered how hard CEH would be. Not because I want the cert though, just want to see how hard / easy it would be to pass, plus it was free at my previous job. (The custom courseware.)

    • #51879
      caissyd
      Participant

      I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn’t make sense until you understand “their language”), and of course how much you had to think about each question.

      MaXe, have you done CISSP yet (probably I guess)? If you think GPEN had funny questions, you will fall off your chair with the CISSP exam…  ;D

    • #51880
      MaXe
      Participant

      I think I may have gone through some or all of the courseware from a third party provider as well. Questions were just as horrible as CEH, but I heard the actual exam questions were like, making serious infosec people die ;D

Viewing 13 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?