I finally took my eWPT exam this past weekend, so it is nice to have another cert out-of-the-way.
While I can't give away too much information about exam specifics, it was fairly straightforward.
To quote NovaHax on TechExams:
- Here's an App
- Test the App
- Gain Admin Access to App
- Document all findings
The exam starts with a wildcard domain, and the goal of finding all vulns in all subdomains. I started by performing some subdomain enumeration, but I won't get into too many details about that.
Once all the domains are found, the test becomes a standard web app pentest. Paying attention to all information gathered, as well as ALL possible venues of exploitation is very important.
In the end, I ended up with over 10 vulns for the entire web application and a 39 page report.
I am currently awaiting reviewer feedback on my report, but I'm fairly confident about my current status.
The reviewer has 30 business days to give feedback, but I know that my eCPPT only took about seven. I will be on vacation during the holidays, but I am hoping to know how I did before then.
This was an enjoyable cert, is relevant to my current position, and surprisingly useful (even considering my experience).
Once I return from the holidays, I plan on starting the eWPTX course.