eWPTX Review – EXTREME Web Apps for EXTREME Hackers

I finally got my final feedback, so it is time for my eWPTX review.

eWPTX Exam

The exam was very similar to the eWPT exam.

To quote NovaHax on TechExams:

  1. Here’s an App
  2. Test the App
  3. Gain Admin Access to App
  4. Document all findings

While sub-domain enumeration wasn’t quite as important to start this one, it was another standard web-app pentest.

There were a number of venues of exploitation to follow, albeit harder than the last cert.

Standard information gathering, enumeration, and exploitation apply to the challenges, but make sure you take special care with filter avoidance.

In the end, I ended up with around 15 vulnerabilities for the entire application in a 27 page report.

eWPTX Course – Introduction

The course material for eWPTX was in-depth, but here is a bit about each section.

  • Encoding and Filtering – this was a fairly basic introductory chapter, but still had some useful information. The most interesting was the ability to view IE’s XSS filter regex.
    C:\WINDOWS\system32>findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll | find "{" > C:\Users\Ray\Desktop\xss.txt
  • Evasion Basics – this covered a few alternative methods, encoding practices, and tricks for general evasion. That said, this section was the reason for me picking up r4y.pw and my Short XSS post. Additionally, I have future ideas for attacks that I plan on posting soon.

eWPTX Course – XSS

The XSS sections were great, and I have plans for a few more blog posts about them.

  • Cross-Site Scripting – I worried that this section would just cover the very basics of XSS, but I was wrong. This touched on DOM XSS more than most courses, covered actual uses of XSS (cookie grabbing, keylogging etc.), and more. Additionally, it covered an entirely new version of XSS that I had never heard of called Mutation Based XSS.
  • XSS – Filter Evasion and WAF Bypassing – this was a fairly straightforward module with a lot of information. Avoiding filters and WAFs to get XSS to actually execute. The labs followed in increasing difficulty, but it was a lot of encoding, using different tags, and general trickery.

eWPTX Course – CSRF/HTML

There were a few interesting chapters between XSS and SQLi, though obviously these were the meat of the course.

  • Cross-Site Request Forgery – this module was the first time I’d ever found CSRF interesting. Usually in a tutorial or book they cover the basic of sending a request on someone else’s behalf. This module (and relevant labs) actually had me attacking CSRF token implementations and things I would have overlooked. Additionally, it demonstrated a few techniques for sending the request outside of the standard auto-submitted form.
  • HTML5 – unfortunately, this module was a bit on the light side, and I was hoping for me. That said, it did go into an interesting idea about a browser-based botnet that I’d like to research further.

eWPTX Course – SQLi

These few modules were actually very helpful when it came to SQL Injection, and I look forward to taking them even further.

  • SQL Injection – this chapter was great in general for covering some more advanced injection techniques other than ‘ or 1=1 — -. More importantly, it taught me about second-order SQLi. This is when your attack doesn’t occur until something ELSE viewing your SQL code executes it. This is something that I have an entire blog and demo planned for, so stay tuned!
  • SQLi – Filter evasion and WAF Bypassing – a similar module to the XSS avoidance/bypass one, but with some different techniques. SQL doesn’t allow as many encoding techniques, but there are various ways to build letters and strings to bypass simple filtering. I also found a fun trick from Osanda for SQLi without information_schema based on my research for this chapter.

eWPTX Course – XML Attacks

As someone who has always been a huge fan of XML attacks, I loved these sections.

  • XML Attacks – this section was awesome, and quite possibly my favorite. XXE attacks have long been a favorite of mine, albeit a bit harder to find, but this took them even further. This chapter actually covered XPath injection, XXE, and even XEE attacks. The labs themselves were actually vulnerable to XEE and you would have to “DoS” them and bring their utilization high before you could get the flag. I’d never actually been able to use this attack in practice, and it was fun to tinker with.

Status/Next Steps

Since I already got my feedback, I’m just waiting on the physical cert to arrive!

eWPTX Review - Complete

This cert was awesome, and I’m looking forward to some additional research following it.

As you can see, I’ve already posted two new topics on XSS – frameset and short.

Beyond this, I plan on posting a bit more about XPath, XXE, SQLi, filter avoidance, CSRF, and even more XSS.

This was definitely a challenging cert, but it was well worth it in my opinion. The relevance to my current position is great, and I learned a lot from it.

Though I’ve actually already started it, next up is the eMAPT course.

doyler on Githubdoyler on Twitter
doyler

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!


He currently serves as a Senior Penetration Testing Consultant for SecureWorks. His previous position was a Senior Penetration Tester for a major financial institution.


When he’s not figuring out what cert to get next (OSCE?!) or side project to work on, he enjoys playing video games, traveling, and watching sports.


8 Comments

Filed under Security Not Included

8 Responses to eWPTX Review – EXTREME Web Apps for EXTREME Hackers

  1. Josh

    Nice job! I just turned in my report for the eWPT. Waiting on my feedback. I don’t think I did so well after reading your post lol.

  2. OffensiveUsername

    What a garbage review? You’ve barely mentioned anything in the course at all.

    • While I disagree with your user information/tone, I actually appreciate the feedback on the topic. There used to be a lot more information about the course material and modules on the eLearn site, which is why I left it out of mine. That said, I did add a lot more information about what modules there are and what I thought of them. Other than that, I plan on blogging specifics and demos for some of the things that I learned.

      Thanks again, and good luck!

  3. Bob

    How much time did you spend on the exam? I’m currently working through the course material and if I’m correct, the exam lab is available for a week, but I’m wondering how much time one would actually need on average to test the exam app.

    • I ended up spending basically the entire week on the hands-on portion of the exam, though writing the report didn’t take anywhere near the full 7 days.

      That said, I kept working during the process, so it could definitely be shortened if it was all you were doing.

  4. unknown7

    Hello,

    Could you please let me know which is the proper plan (Full or Elite) when someone is working full-time ?
    How many hours you studied per week ? Its better to purchase hours or days ?

    I appreciate your reply!

    • Hi,

      I’d definitely recommend the Elite unless you are going to put in a ton of hours after work and on the weekend. The real reason for this is the exam voucher that never expires. When I did my eCPPT I ended up spending $300 or $400 extra just to keep it active and renewed.

      The hours or days will depend on you, but I definitely prefer hours (is that even a choice now?)

      As far as hours per week, it will vary from person to person. I didn’t really track mine, but based on the dates in my Evernote it took me about 2 months from start to completing the exam (while working).

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.