As I already mentioned I was studying for SANS GWAPT. Today the nightmare ended.
I did the live course with Kevin Johnson at the end of August, in Ottawa. I can tell you that Kevin is a good teacher, he has a lot of experience and he knows how to animate a class. The class was mixed, some were advanced in the field, others (like me) had some basic knowledge, and there were some who barely stayed awake. There is a lot of information in the course. Some days are easier, but day 4 – client side discovery- was really difficult to digest.
After the course I started to read the books, listen to the mp3’s, and I redid all the labs. After I read once all the books I did the OnDemand questions. Surprise :) Failed some chapters.
The advantage with the questions from OnDemand is that you can do them anytime you want, and you can repeat them. I did them until I pass all the questionnaires. I didn't used the books when I answered. Some of the questions were easy, for some of them you could even get the answer from the books. There were some good questions that made you think a little bit.
Also, there was a repetition of some questions.
Two weeks ago I did the first practice test. I scored 83%, and I finished the exam in one hour. It wasn’t very difficult. A little bit different than the OnDemand, but OK. You could answer a lot of question just by looking in the book. Yesterday I did the second practice exam. I scored 90% in about 50 minutes. Almost 15% of the questions were similar with the ones in the first exam.
I thought that I was smart ;D and well prepared.
This morning I sat for the real exam. WHAT A DIFFERENCE >:(
There are questions where you can find the answer in the books, but for most of them the answer is at the bottom of the page, where the details are.
- You intercepted this file through the proxy. Which is your next step?
- What file should you investigate giving the code??
- What attack can you perform giving the php code?
They were very interesting and difficult (at least for me). I say difficult because the questions on OnDemand and the practice exams made me believe that this is another theoretical exam, with some practical knowledge, but it was very “practical”.
In order to pass the exam, unless you are really experienced, you need:
- The books
- To practice all the labs, to know the tools, and go the extra mile with the labs
- To study hard
I think that for someone with a web programmer background will be easier to understand the code in the exam, but there are other questions where you should have at least a basic knowledge about the whole IT environment.
For someone who wants to pass the exam I recommend to buy the course, and even buy the OnDemand. Do the questions on the OnDemand without the manuals and you’ll be surprised ::)
For the beginners in the web penetration testing I would recommend to start with something else (eLS maybe), because I don’t think they’ll have enough time to do it (unless they are geniuses or unemployed).
So, for the final exam I had 85% in 1h50 minutes, but I felt a carrot in my back during the exam :P
I am happy, and this was an interesting experience (this is my first SANS).