.

GWAPT with Live & OnDemand - review

<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Tue Dec 20, 2011 4:34 pm

GWAPT with Live & OnDemand - review

Hello guys,
As I already mentioned I was studying for SANS GWAPT. Today the nightmare ended.

I did the live course with Kevin Johnson at the end of August, in Ottawa. I can tell you that Kevin is a good teacher, he has a lot of experience and he knows how to animate a class. The class was mixed, some were advanced in the field, others (like me) had some basic knowledge, and there were some who barely stayed awake. There is a lot of information in the course. Some days are easier, but day 4 – client side discovery- was really difficult to digest.

After the course I started to read the books, listen to the mp3’s, and I redid all the labs. After I read once all the books I did the OnDemand questions. Surprise  :) Failed some chapters.
The advantage with the questions from OnDemand is that you can do them anytime you want, and you can repeat them. I did them until I pass all the questionnaires. I didn't used the books when I answered. Some of the questions were easy, for some of them you could even get the answer from the books. There were some good questions that made you think a little bit.
Also, there was a repetition of some questions.

Two weeks ago I did the first practice test. I scored 83%, and I finished the exam in one hour. It wasn’t very difficult. A little bit different than the OnDemand, but OK. You could answer a lot of question just by looking in the book. Yesterday I did the second practice exam. I scored 90% in about 50 minutes. Almost 15% of the questions were similar with the ones in the first exam.
I thought that I was smart  ;D and well prepared.

This morning I sat for the real exam. WHAT A DIFFERENCE  >:( ??? :-\ ::)

There are questions where you can find the answer in the books, but for most of them the answer is at the bottom of the page, where the details are.

The biggest difference was in the questions that presented you some code (html, php, javascript..) and you had to answer to some questions:
- You intercepted this file through the proxy. Which is your next step?
- What file should you investigate giving the code??
- What attack can you perform giving the php code?
- …

They were very interesting and difficult (at least for me). I say difficult because the questions on OnDemand and the practice exams made me believe that this is another theoretical exam, with some practical knowledge, but it was very “practical”.

In order to pass the exam, unless you are really experienced, you need:
- The books
- To practice all the labs, to know the tools, and go the extra mile with the labs
- To study hard

I think that for someone with a web programmer background will be easier to understand the code in the exam, but there are other questions where you should have at least a basic knowledge about the whole IT environment.

For someone who wants to pass the exam I recommend to buy the course, and even buy the OnDemand. Do the questions on the OnDemand without the manuals and you’ll be surprised  ::)

For the beginners in the web penetration testing I would recommend to start with something else (eLS maybe), because I don’t think they’ll have enough time to do it (unless they are geniuses or unemployed).

So, for the final exam I had 85% in 1h50 minutes, but I felt a carrot in my back during the exam  :P

I am happy, and this was an interesting experience (this is my first SANS).
Last edited by alucian on Tue Dec 20, 2011 5:33 pm, edited 1 time in total.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Tue Dec 20, 2011 4:52 pm

Re: GWAPT with Live & OnDemand - review

Gratz!  Thanks for the review and the study tips, much appreciated :)
Last edited by lorddicranius on Wed Dec 21, 2011 11:17 am, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

Eleven

User avatar

Full Member
Full Member

Posts: 121

Joined: Thu Nov 10, 2011 6:47 pm

Post Tue Dec 20, 2011 8:49 pm

Re: GWAPT with Live & OnDemand - review

Thanks for the review, and congrats on passing!  From the way it started I was worried you failed. :)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Dec 20, 2011 10:25 pm

Re: GWAPT with Live & OnDemand - review

Congrats, alucian!  One of these days, I'm gonna be able to swing the cost for GWAPT (hopefully sooner than later,) so it's nice to hear others' 'war stories.'
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Dec 20, 2011 10:49 pm

Re: GWAPT with Live & OnDemand - review

Hey Alucian!

Congrats! Be sure to update your signature with your new cert. I've heard similar stories regarding practice exams and then finally sitting for the real examination. Do you think someone who went through the Web Application Hackers Handbook would be prepped enough for the class?
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Wed Dec 21, 2011 2:24 am

Re: GWAPT with Live & OnDemand - review

What if you just signed up for the OnDemand as opposed to the vLive or something like that?  Does the OnDemand leave out things that are in the live course?  I like to work at my own pace, so if I ever save up enough money for GWAPT, I would probably do the OnDemand.  I have an insane memory, but it only works if I have time to process the information.  Taking the live class I'd learn all the material so fast that I'd probably not retain it that well after the exam.
Sec+, eCPPT
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Dec 21, 2011 3:39 am

Re: GWAPT with Live & OnDemand - review

Congrats, alucian!
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Wed Dec 21, 2011 8:30 am

Re: GWAPT with Live & OnDemand - review

Nice write-up Alucian!  Yeah those GIAC practice exams do give you a bit of false hope :D  I sticky noted the hell out of my course manuals and made up a nifty index so I can remember to flip to whatever page in whatever manual I needed.  Those 2 hours go pretty fast.  The biggest advantage is to know the material so you don't have to use the books unless you hit those really tough questions. 

Congrats on the Win!
Certs: GCWN
(@)Dewser
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Dec 21, 2011 9:00 am

Re: GWAPT with Live & OnDemand - review

I'm assuming when you took the exam it was the new 75 question format instead of the older 150 question format.

If that's the case, the newer format includes questions that are less memorization type question and more applying knowledge questions. They're often described as being "harder," but I would say its not so much that they're harder. They just better measure your total grasp of the subject. Isn't this what you want from a certification anyway?

I've yet to actually take one of the new formatted exams, but I imagine the reason that the practice exams weren't exactly respresentative of the actual exam is that the question banks for practice tests generally come from retired/old exam questions. (I don't think that's 100% of the case but some are.) Therefore, with the new format, there just hasn't been enough time for the practice test question banks to get many of the newer style questions.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Wed Dec 21, 2011 9:52 am

Re: GWAPT with Live & OnDemand - review

@ ziggy_567

Indeed, it was the 75 questions exam. After the exam the value of this certification increased in my eyes. They are really testing your knowledge and your experience.

@ Seen
I did the live course because the company paid for it. It was like a little vacation. I even made new friends :)
The company also paid for the OnDemand and the exam.
In terms of knowledge there is no difference between the live class, the OnDemand or the course only. The OnDemand is like someone is reading the book for you. The real difference with OnDemand is with the questions, not the material.

If you only buy the course, without vLive, without OnDemand, you'll receive the books, the labs, and the mp3's. The mp3 were recorded during one live training, and they include all the class material, all the stories, all the jokes.

Even if you take the live class you will have to start from the beginning, because in the class you can't assimilate all the knowledge. Especially day 4 (Ajax, JSON, WSDL, Flash...). On our class it was silence  ::) I admint that I was completely lost. Even on mp3's you'll see that there are no comments, and you'll believe that it was recorded in a studio :) This is the day that makes the difference between this course and a regular book (WAHH2)

@ xXxKrisxXx
I don't think that by reading the WAHH2 you'll be able to pass the exam. You need the official manuals, because you have at least 10 questions where you can go in the manual and read the answer.
Also, the WAHH doesn't go in the same detail about Ajax, about python, php, WebServices, Flash...
Plus, with the course you'll receive two virtual machines: one is the target and the other one is a custom version of Samurai WTF. You have a lot of exercises to perform during the course, and you can even go an extra mile (recommended).
Keep in mind that you have 5 books, labs to do in 4 months. Sounds like a lot of time, but when you have a family and a job ... it becomes a problem.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Wed Dec 21, 2011 4:44 pm

Re: GWAPT with Live & OnDemand - review

Thanks, I guess I'll do OnDemand then if I ever get the money.
Sec+, eCPPT
<<

docrice

User avatar

Newbie
Newbie

Posts: 31

Joined: Sun Nov 20, 2011 3:19 am

Post Thu Dec 22, 2011 11:36 pm

Re: GWAPT with Live & OnDemand - review

I just started the OnDemand for 542, and since my web skills are very weak this will be a good stretch for me.  I've taken several other SANS courses and while they were all challenging in their own ways, I already had at least some experience in the subject matter before taking them.  542 should be a huge smack in the face for me.

In my experience, GIAC practice exams are pretty similar to the actual exam.  It's interesting to hear that GWAPT's is different, but I assume this might also be at least partially due to the updated exam format.
GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, OSWP, WCNA, CCNA, CCNA Security, SFCP, SnortCP, and more useless acronyms.

Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
<<

iamnowonmai

Newbie
Newbie

Posts: 2

Joined: Mon Jun 20, 2011 10:16 am

Post Fri Dec 23, 2011 3:45 pm

Re: GWAPT with Live & OnDemand - review

ziggy_567 wrote:
If that's the case, the newer format includes questions that are less memorization type question and more applying knowledge questions. They're often described as being "harder," but I would say its not so much that they're harder. They just better measure your total grasp of the subject. Isn't this what you want from a certification anyway?

I've yet to actually take one of the new formatted exams, but I imagine the reason that the practice exams weren't exactly respresentative of the actual exam is that the question banks for practice tests generally come from retired/old exam questions. (I don't think that's 100% of the case but some are.) Therefore, with the new format, there just hasn't been enough time for the practice test question banks to get many of the newer style questions.


Correct that the cognitive level of a question doesn't map to the difficulty in a linear fashion.

Incorrect that the practice questions are old and used to be certification questions.

Merry Christmas to you all :)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software