Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

eWPTX Review – EXTREME Web Apps for EXTREME Hackers

I finally got my final feedback, so it is time for my eWPTX review.

eWPTX Exam

The exam was very similar to the eWPT exam.

To quote NovaHax on TechExams:

  1. Here’s an App
  2. Test the App
  3. Gain Admin Access to App
  4. Document all findings

While sub-domain enumeration wasn’t quite as important to start this one, it was another standard web-app pentest.

There were a number of venues of exploitation to follow, albeit harder than the last cert.

Standard information gathering, enumeration, and exploitation apply to the challenges, but make sure you take special care with filter avoidance.

In the end, I ended up with around 15 vulnerabilities for the entire application in a 27 page report.

eWPTX Course – Introduction

The course material for eWPTX was in-depth, but here is a bit about each section.

  • Encoding and Filtering – this was a fairly basic introductory chapter, but still had some useful information. The most interesting was the ability to view IE’s XSS filter regex.
    C:\WINDOWS\system32>findstr /C:"sc{r}" \WINDOWS\SYSTEM32\mshtml.dll | find "{" > C:\Users\Ray\Desktop\xss.txt
  • Evasion Basics – this covered a few alternative methods, encoding practices, and tricks for general evasion. That said, this section was the reason for me picking up r4y.pw and my Short XSS post. Additionally, I have future ideas for attacks that I plan on posting soon.

eWPTX Course – XSS

The XSS sections were great, and I have plans for a few more blog posts about them.

  • Cross-Site Scripting – I worried that this section would just cover the very basics of XSS, but I was wrong. This touched on DOM XSS more than most courses, covered actual uses of XSS (cookie grabbing, keylogging etc.), and more. Additionally, it covered an entirely new version of XSS that I had never heard of called Mutation Based XSS.
  • XSS – Filter Evasion and WAF Bypassing – this was a fairly straightforward module with a lot of information. Avoiding filters and WAFs to get XSS to actually execute. The labs followed in increasing difficulty, but it was a lot of encoding, using different tags, and general trickery.

eWPTX Course – CSRF/HTML

There were a few interesting chapters between XSS and SQLi, though obviously these were the meat of the course.

  • Cross-Site Request Forgery – this module was the first time I’d ever found CSRF interesting. Usually in a tutorial or book they cover the basic of sending a request on someone else’s behalf. This module (and relevant labs) actually had me attacking CSRF token implementations and things I would have overlooked. Additionally, it demonstrated a few techniques for sending the request outside of the standard auto-submitted form.
  • HTML5 – unfortunately, this module was a bit on the light side, and I was hoping for me. That said, it did go into an interesting idea about a browser-based botnet that I’d like to research further.

eWPTX Course – SQLi

These few modules were actually very helpful when it came to SQL Injection, and I look forward to taking them even further.

  • SQL Injection – this chapter was great in general for covering some more advanced injection techniques other than ‘ or 1=1 — -. More importantly, it taught me about second-order SQLi. This is when your attack doesn’t occur until something ELSE viewing your SQL code executes it. This is something that I have an entire blog and demo planned for, so stay tuned!
  • SQLi – Filter evasion and WAF Bypassing – a similar module to the XSS avoidance/bypass one, but with some different techniques. SQL doesn’t allow as many encoding techniques, but there are various ways to build letters and strings to bypass simple filtering. I also found a fun trick from Osanda for SQLi without information_schema based on my research for this chapter.

eWPTX Course – XML Attacks

As someone who has always been a huge fan of XML attacks, I loved these sections.

  • XML Attacks – this section was awesome, and quite possibly my favorite. XXE attacks have long been a favorite of mine, albeit a bit harder to find, but this took them even further. This chapter actually covered XPath injection, XXE, and even XEE attacks. The labs themselves were actually vulnerable to XEE and you would have to “DoS” them and bring their utilization high before you could get the flag. I’d never actually been able to use this attack in practice, and it was fun to tinker with.

Status/Next Steps

Since I already got my feedback, I’m just waiting on the physical cert to arrive!

eWPTX Review - Complete

This cert was awesome, and I’m looking forward to some additional research following it.

As you can see, I’ve already posted two new topics on XSS – frameset and short.

Beyond this, I plan on posting a bit more about XPath, XXE, SQLi, filter avoidance, CSRF, and even more XSS.

This was definitely a challenging cert, but it was well worth it in my opinion. The relevance to my current position is great, and I learned a lot from it.

Though I’ve actually already started it, next up is the eMAPT course.

16 Comments

  1. Nice job! I just turned in my report for the eWPT. Waiting on my feedback. I don’t think I did so well after reading your post lol.

    • While I disagree with your user information/tone, I actually appreciate the feedback on the topic. There used to be a lot more information about the course material and modules on the eLearn site, which is why I left it out of mine. That said, I did add a lot more information about what modules there are and what I thought of them. Other than that, I plan on blogging specifics and demos for some of the things that I learned.

      Thanks again, and good luck!

  2. How much time did you spend on the exam? I’m currently working through the course material and if I’m correct, the exam lab is available for a week, but I’m wondering how much time one would actually need on average to test the exam app.

    • I ended up spending basically the entire week on the hands-on portion of the exam, though writing the report didn’t take anywhere near the full 7 days.

      That said, I kept working during the process, so it could definitely be shortened if it was all you were doing.

  3. Hello,

    Could you please let me know which is the proper plan (Full or Elite) when someone is working full-time ?
    How many hours you studied per week ? Its better to purchase hours or days ?

    I appreciate your reply!

    • Hi,

      I’d definitely recommend the Elite unless you are going to put in a ton of hours after work and on the weekend. The real reason for this is the exam voucher that never expires. When I did my eCPPT I ended up spending $300 or $400 extra just to keep it active and renewed.

      The hours or days will depend on you, but I definitely prefer hours (is that even a choice now?)

      As far as hours per week, it will vary from person to person. I didn’t really track mine, but based on the dates in my Evernote it took me about 2 months from start to completing the exam (while working).

  4. Hello,

    Do you recommend to take this course after oscp? I have finished oscp last year and I don’t know which course or cert should I take for now. I don’t want to stop learning ray!

    Are you taking any course currently? which course you taking?

    Thanks,
    Eric

    • Hi Eric,

      You could take this course before OR after the OSCP if you wanted, as they aren’t really related. That said, I’d take this one after eWPT unless you have a fair amount of Web App Pentesting experience. I took it while a Web tester and still learned a lot.

      I understand, and am always taking courses myself! I’m currently finishing up the SecurityTube Linux Assembly Expert (see my recent posts), and plan on starting the OSCE next month!

  5. Hi Doyler,

    Thanks for the information. I completed my OSCP around 5 months ago and I am interested in eWPTX. Do you recommend doing eWPT first or can I go straight to eWPTX?

    How does the difficulty compare to OSCP (granted the web app portion in OSCP was not huge).

    Were asp.net and .net core applications targeted in the course or just more php?

    Thanks

    • You’re welcome, and congratulations on the OSCP!

      I do recommend doing the eWPT first if you have the time/money. I was already a web application penetration tester at the time, and I still learned some useful tips and tricks.

      The difficulty is probably a little easier than the OSCP overall, but it’s an entirely different topic.

      It was primarily PHP based, but most of the techniques were platform agnostic (filter bypasses, etc.).

  6. Hey Doyler,

    Congrats on getting the cert. How much coding do I need to pass this exam? Does it involve writing a lot of php scripts? Also, is every scenario/ vuln covered in the labs and videos that you came across in the exam. Apart from the materials what other sources would you like to suggest?

    Thanks

    • Thanks, it was an awesome one!

      You don’t need to know any coding, but it never helps to be familiar with various languages during penetration tests. As far as writing scripts, you can always automate tasks if you’d like, or just perform the actions manually.

      That said, the labs/material/videos will cover everything that you need to pass the exam, as long as you understand the material!

      Other than that, you can always look into other vulnerable VMs/web based CTF challenges for extra practice.

      Thanks again, and good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.