eWPTv2 Review 2023

I recently passed the eWPTv2 exam that was released in October this year. This was an enhanced version of the v1 exam which included some old & obsolete topics, mostly not relevant in today’s scenario. In this article I will share my views on the exam, course material and if you should take it or not.

Background

  • I am an InfoSec Engineer and my day-to-day activities doesn’t include anything related to pentesting. I have played CTFs in the past and solved machines on HTB & THM. So, I have some knowledge about the web app vulnerabilities, OWASP Top 10 etc.

The Course Material

  • The course material is presented by Alexis Ahmed (Hackersploit) and is divided into various web application testing phases having videos, quizzes and labs to solve. It covers basic HTTP technologies, their application and architecture along with focus on OWASP Top 10 attacks.

  • It is 100+ hours of content which is overwhelming. I completed this course in around 1 month giving 3-4 hours on weekdays (due to office work) and around 8-10 hours on weekends.

  • I had some experience with web app testing so I was able to finish the material in about a month. If you’re a beginner then take your time to process each and every topic and google everything as it will increase the scope of your thinking capabilities.

Preparation before the exam

  • After completing the course and solving all the labs I did other vulnerable labs – DVWA, Portswigger’s Web Academy (Invaluable resource for Web App testing) and OWASP Mutillidae. I didn’t do all the labs from them but only the required ones and which were beginner level.

  • Alexis also covers the OWASP testing guide in the course which eventually led me to make a checklist of my own covering tools, commands and methodology to follow in exam.

The Exam

  • You can directly start the exam just by clicking a button and there is no need of scheduling it. The exam is of 10 hours in which you have to answer 50 questions which will consist of MCQ, Short-answer type questions all related to the environment you’re testing. Keep in mind this is not a CTF style exam. You will also get access to in-browser kali machine connected to a guacamole server with all the tools and wordlists pre-installed in the machine. NOTE: The machine does not have access to outside internet.

  • Before starting you are given the Letter of Engagement stating the Scope and scenario for the pentest. You then have full 10 hours to answer the questions and in order to pass you need at least 70% correct answers.

  • The course material covers everything that is asked in the exam but I still required a little bit of researching during the exam. Enumeration is the key and knowing how to chain and link vulnerabilities is an advantage which is needed to build up a good methodology. API services testing was new for me and remembering the course videos and labs helped in this case.

Should you do it

  • Anyone starting their career in cybersecurity / penetration testing / can take this course as it gives an introduction about the OWASP TOP 10 and covers everything from basic level which is definitely relevant in today’s environment.

  • My advice is - “just don’t go for the sake of certification but learn the concepts about how web apps work and what vulnerabilities can arise in them”.

If you have questions please reach out to me. I will be happy to answer them.