Introduction
Having completed several other certifications with eLearn Security (Now INE Security) I decided to challenge myself with the most difficult certification currently on offer in the offensive security path, the eWPTX. The exam was… “fiddly” - overall definitely one of the harder certifications I’ve gone for, however a lot of this was for all the wrong reasons. We’ll get to that shortly!
Certification Overview
According to INE “The eWPTX is our most advanced web application pentesting certification. The exam requires students to perform an expert-level penetration test that is then assessed by INE’s cyber security instructors. Students are expected to provide a complete report of their findings as they would in the corporate sector in order to pass.”
By the specification, the exam tests:
- Penetration testing processes and methodologies
- Web application analysis and inspection
- Advanced Reporting skills and Remediation
- Advanced knowledge and abilities to bypass basics advanced XSS, SQLi, etc. filters
- Advanced knowledge of different Database Management Systems
- Ability to create custom exploits when modern tools fail
INE offer formal training for this certification as part of their subscription service - I didn’t have access to this, but I’ve heard a lot of positive comments about the training experience. If you already have an INE subscription with access you’re in a great spot!
In terms of structure, the eWPTX is similar to other INE Security exams - spin up your exam environment, conduct a pentest and present a commercial grade report. Meet all the listed criteria and write a professional report and you pass. For the eWPTX, there are several key “milestone” objectives which must be completed in order to pass, in addition to which you must find and report additional vulnerabilities not specifically listed in the letter of engagement.
Study Resources
Since I didn’t have access to the official course from INE, I used a combination of other resources to prepare around the topics which were listed for the exam, the most important ones included:
-
HackTheBox: At this point, HTB has content which can serve as training for almost any hacking exam! I spent time focusing on machines (usually with writeups to check my work) which featured typical web attacks (SQLi, SSTI, XXE, XSS, SSRF, CSRF etc.)
-
Vulnhub: Much less important to me these days since I find spinning up a box via HTB much easier, however, vuln hub boxes are still an excellent way to focus on the core attacks mentioned above
-
Portswigger Web Security Academy: From the folks who bring you Burpsuite, the Web Security Academy is well worth working through, and a great way to get more practice with Burp.
Preparation Tips
Without giving too much away, it’s fair to say that this exam is hard - however, it’s hard because it’s “fiddly”, not because the exploits are especially unusual or exotic. Therefore, if you have a good grasp of SQLi, SSTI, XXE, XSS, SSRF, CSRF etc. you have a good start. You will want to make use of automated tools on the exam (there’s no weird restrictions a ‘la OSCP) so do be sure to have plenty of practice with them too. Burpsuite or OWASP Zap is a must - you’ll also want to be comfortable with common web attack tools like SQLmap and Dirbuster (or similar).
A big aspect of preparing for this one is the psychological game - I read quite a number of reviews up front and took on board that there may well be some instability in the environment as well as some exploits which needed firing a few times to work. What I didn’t really understand was that this meant that some payloads would work literally only once, then requiring a complete reset of the environment - this threw me on the exam and in a few places I was only able to move forward through throwing the same exploit again and again out of sheer frustration!
Therefore, have uppermost in your mind:
If you think you have found a vulnerability, and it looks exploitable IT SHOULD BE. There are no “rabbit holes” on this exam, so if it’s not working, just keep resetting the environment and re-sending the exploit until it works.
Exam Experience
As you may have sensed, I had a few issues with the exam experience - as many others have reported elsewhere.
Let’s begin at the beginning - the process of getting a voucher, activating the exam and downloading the letter of engagement was all fine. As with all INE Security certifications, you can start this one whenever you like via the dashboard. The dashboard also allows you to generate a VPN config file and reset, stop and start your exam environment. This all worked fine and was a nice smooth experience.
The lab itself - not quite so smooth! During previous INE Security certifications, I have experienced varying levels of connectivity problems - specifically the VPN would seem to randomly disconnect with the target hosts becoming unreachable, often without any actual error output from OpenVPN. The eWPTX was not terrible for this - but it wasn’t great either. I experienced one or two disconnects on most days, usually just requiring a restart of the OpenVPN process, but sometimes needing a lab reset. Overall manageable enough for the context, but certainly room for improvement.
The biggest issue then - by far - was the instability of the critical exploits needed to pass the exam. As mentioned above, the exam is structured in such a way that besides the usual work of finding and documenting vulnerabilities you also must exploit certain paths. The major issue for this exam is that these essential exploits seem to behave erratically and inconsistently. Payloads that I confirmed to work on one try would often not work again - sometimes after an environment reset, they wouldn’t work at all. This leads to a situation where a candidate can be using exactly the right payload, but not actually getting a response - at the very least this is unfair and in my opinion, INE really need to address this. I think it’s fair to say that if I hadn’t already looked at a good number of reviews and prepared myself for a lot of issues with the “critical” exploits I would have given up!
More broadly (and unlike other INE Security certifications) this one felt much more like a CTF than a pentest - personally that’s not my favourite “feel” to an exam - but it’s not excessive. The scenario feels contrived, but not ridiculous and there’s enough general context to make writing a sensible report more than doable. The flip side is that practising for the exam using HTB or similar CTF platforms is probably more applicable than it otherwise might be!
Should I get this certification?
I have always been a fan of the eLearn Security certifications - for the most part, they’re flexible, realistic and fair. The eWPTX wasn’t terrible, but it wasn’t quite up to the usual standard, and in addition, it was inconsistent and somewhat unstable. One major caveat to keep in mind is that I did not take the official training, and I wouldn’t be surprised if the official course had example payloads or a different approach to exploitation which may have worked better on the actual exam - nonetheless, a working exploit should always be a working exploit.
If you have an INE subscription I’d say the eWPTX is a good goal to aim for - similarly, if you’re fairly confident with web exploits and have the fortitude to keep telling yourself “No, this should work!” you should be able to pass the exam. This being said, for those who have less experience, less confidence or just less patience, this might not be the best certification for you, at least in its current state.
Conclusion
The eWPTX is a good concept, but it’s crippled by technical issues and instability which make it borderline unfair. I wouldn’t be surprised to see INE update this certification in the near future, and I hope they do because there’s certainly a place for it in the market - right now it just needs a little love and a few updates.