.

SANS GWAPT Exam?

<<

matt81

Newbie
Newbie

Posts: 22

Joined: Thu Nov 15, 2012 12:35 pm

Post Fri Feb 08, 2013 8:16 pm

SANS GWAPT Exam?

Quick Question - I'm looking to get much better on web application security and I'm currently doing WebGoat on a home lab.

I'm responsible for working with developers and scanning websites at my job with external vulnerability scanners.

My question is that I'm not a "developer" and would taking the GWAPT test be way too over my head? I recently passed the GCIH exam and wanted to take something that would give me a better understanding of XSS, SQL injection, etc.

Thanks
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Feb 08, 2013 8:24 pm

Re: SANS GWAPT Exam?

Are you talking about taking just the test or doing the course?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

matt81

Newbie
Newbie

Posts: 22

Joined: Thu Nov 15, 2012 12:35 pm

Post Fri Feb 08, 2013 9:00 pm

Re: SANS GWAPT Exam?

I would like to take the exam if possible, but at the very least take the course.

Are there any other course you would recommend? This one looked very interesting and my job would be paying for it.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Feb 08, 2013 9:20 pm

Re: SANS GWAPT Exam?

I didn't take the course, but I posted about my challenge attempt here: https://www.infosiege.net/2012/04/gwapt ... ge-review/

You might find some of those resources useful in preparing for the course. If you're really feeling skittish, maybe go through something like this: http://www.amazon.com/PHP-MySQL-Web-Dev ... 0672329166 in advance. Then, you will have a little insight into development.

You certainly don't need to be a developer to understand the material. I'm sure the courseware explains the concepts well, and if there are any items you need more information on, there are tons of free resources online.
Last edited by dynamik on Fri Feb 08, 2013 11:00 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Feb 08, 2013 10:22 pm

Re: SANS GWAPT Exam?

You certainly don't need to be a developer to understand the material.

ajohnson is right. All you really need is to be able to read (not write) and understand basic HTML and Javascript. The course will teach you all this and the few other little things you need to know.

And by all means, if you are performing Vulnerability Assessments of web app, that's a great course/cert to get you started.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Feb 08, 2013 10:30 pm

Re: SANS GWAPT Exam?

What they ^^^^^ said  :)
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

matt81

Newbie
Newbie

Posts: 22

Joined: Thu Nov 15, 2012 12:35 pm

Post Sat Feb 09, 2013 6:09 pm

Re: SANS GWAPT Exam?

Thanks everyone for replying - I'm definitely going to take a shot at the course and the exam.

The links were very good too. Looking forward to it!!
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Sat Feb 09, 2013 8:15 pm

Re: SANS GWAPT Exam?

If you haven't done so already grab a copy of WAHH2(Web Application Hackers Handbook).
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

docrice

User avatar

Newbie
Newbie

Posts: 31

Joined: Sun Nov 20, 2011 3:19 am

Post Sun Feb 10, 2013 2:10 am

Re: SANS GWAPT Exam?

I passed the GWAPT last year and I'm not a developer (far from it, actually, as I work on network infrastructure security for a living).  SANS SEC-542 will teach you to recognize JavaScript / Python / PHP basics and the material doesn't require you to know how to code.  I think the mindset helps, but if I can get through the course and manage to pass the GWAPT exam, you should be able to as well.

In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I'd consider a really advanced web app pentesting course.
GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, OSWP, WCNA, CCNA, CCNA Security, SFCP, SnortCP, and more useless acronyms.

Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
<<

matt81

Newbie
Newbie

Posts: 22

Joined: Thu Nov 15, 2012 12:35 pm

Post Sun Feb 10, 2013 6:33 pm

Re: SANS GWAPT Exam?

Thanks, Docrice - That was very encouraging. Looking forward to the course!!
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Feb 11, 2013 7:57 am

Re: SANS GWAPT Exam?

In the real-world, doing web app pentesting might practically require that you understand these areas much better, but SEC-542 is not what I'd consider a really advanced web app pentesting course.

+1

SEC542 is not an easy course, but it focuses on introducing all the concepts you need to become a web app penetration tester. There is simply way too much content on the topic for a 6 day course.

I haven't taken this one, but SEC642: Advanced Web App Penetration Testing and Ethical Hacking should help you become a more complete web app pentester after you have completed SEC542.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Feb 11, 2013 9:44 pm

Re: SANS GWAPT Exam?

SEC542 is a very basic course, which prepares you to do the GWAPT exam, where I was given a test exam a couple of years ago. I had never studied the course, yet I passed without knowing about SOAP and a few other things that you hardly, ever see when conducting a penetration test. (I have tested a few big lists of web services, and yes it was boring, but at least I gained some experience during that, such as it's rarely any critical bugs you find, it's often just user account related problems, often rated as low or medium risk. Meaning it's just "filler space" in a report.)

Anyway, yes you can do it. I'm a hacker, and yes I knew how to write secure PHP code when I took the exam attempt (I wasn't taking the actual certification). To me, it was extremely easy, but then again I am already a hacker so of course it's easy when I specialize in web application security.

Having previously taken GPEN (and passed, and become a mentor), I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn't make sense until you understand "their language"), and of course how much you had to think about each question. Because when I did my first GPEN exam attempt (test exam, not actual exam) without any study, I passed as well without any study, but I wanted to increase my score, so I studied a bit. Anyway during that test exam, there were a lot of questions where I was thinking, is this a trick question? This is way too easy to be included in this type of exam that proves your skill, but they weren't.

Sometimes the questions can be a bit strangely phrased, so you will have to think for a while about what they actually mean. But it's nothing compared to some custom CEH courseware I went through for fun, while I was working as tech support and wondered how hard CEH would be. Not because I want the cert though, just want to see how hard / easy it would be to pass, plus it was free at my previous job. (The custom courseware.)
I'm an InterN0T'er
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Feb 12, 2013 9:50 am

Re: SANS GWAPT Exam?

I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn't make sense until you understand "their language"), and of course how much you had to think about each question.

MaXe, have you done CISSP yet (probably I guess)? If you think GPEN had funny questions, you will fall off your chair with the CISSP exam...  ;D
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Feb 12, 2013 6:55 pm

Re: SANS GWAPT Exam?

I think I may have gone through some or all of the courseware from a third party provider as well. Questions were just as horrible as CEH, but I heard the actual exam questions were like, making serious infosec people die ;D
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software