My Take on eWPTv1
My Take on eWPTv1
🇧🇷 Versão em Português
This article is also available in Portuguese on Medium .
NOTE: Before sharing my experience, it’s important to clarify that I took the exam in October 2023, before the INE platform changed to version 2. At that time, we still had the option to choose between v1 or v2 of the exam. Therefore, some information may not be relevant for those considering the most recent version. However, I hope to contribute in some way by sharing my journey and experience with the exam.
My Perspective on eWPTv1
I found this exam quite challenging and fun. I confess there were moments when I felt quite anxious and apprehensive, especially regarding some technologies I wasn’t as familiar with.
As for the exam itself, I found it very interesting because it has a realistic approach. The fact that it’s a “blackbox” test, involves writing a report, and provides a mix of feelings regarding the possibility of finding vulnerabilities made the experience unique. The most challenging aspect was the constant questioning: “Was what I found enough, or are there more vulnerabilities?” The uncertainty indeed impacted me at times, as we don’t know exactly what to expect.
Additionally, it’s important to note that I only purchased the exam voucher. All my preparation was based on extensive practice using resources like TryHackMe, Crowsec, PortSwigger, in addition to conducting a lot of independent research. In total, I dedicated three months exclusively to preparing for this exam.
Why Did I Choose v1 and Not v2?
Well, we know that v1 is more outdated; I took that into consideration as well. However, the main factor was that v1 was more practical, resembling a real penetration test in a “blackbox” environment, and required writing a report. On the other hand, v2 doesn’t offer this option; it’s similar to eJPTv2, with several questions and the need to explore the environment to answer them. I decided to challenge myself once more and opted for v1. Additionally, I felt obligated to study slightly older technologies to understand some attacks, which I see as an excellent learning opportunity. Having to write a report was also something I wanted to test, as I had never taken a certification that required it. For me, it was challenging, and I confess I loved it, although I was quite anxious and worried since the report had to be written entirely in English.
The Exam
When you start the exam, you’ll receive a letter of engagement. It will detail the elements within scope (i.e., domains, subdomains, IP addresses) that you must test. Additionally, the letter informs you about a necessary but not sufficient task that you need to perform to pass this exam. There are several ways to complete this task, but it’s crucial to execute it and document it clearly in your report.
In simple terms, it’s as if they gave you a web application and you needed to scour everything, looking for any security issues you can find, and then report everything you discovered.
Another relevant piece of information is that you’ll need to properly configure name resolution (DNS) so that all requests from this test environment point to the VPN IP you’ll receive and connect to the exam servers.
Another interesting point is that the exam lasts 14 days, with 7 days to find vulnerabilities and another 7 days to write the report. That said, you can already imagine that the exam is somewhat extensive. I strongly recommend reserving at least a week or extended holidays to dedicate exclusively to the exam, especially at the beginning.
Just to reinforce, the exam doesn’t resemble a Capture The Flag (CTF); there are no flags to capture. You need to identify vulnerabilities and report them as in a real-life test.
There were moments when the exam environment was unstable and I had to refresh it at different times. However, aside from that, I had no problems completing the exam. Another positive point is that even after submitting your report and receiving negative feedback, you can redo it at no cost.
The Report
As I mentioned earlier, the deadline for writing the report is 7 days. Throughout the entire exam, it’s very useful to document everything you find. When I went to write the report, I had already separated all the vulnerabilities and evidence, so it was relatively easy to include the proof of concept. The biggest challenge, actually, was overcoming the barrier of writing the report in English and reviewing it, as I have some difficulties with the language, despite being exposed to it daily at work and in my studies. I had never done something of this importance, so it was quite a challenge, but completing it was very rewarding.
I tried to detail as much as possible in the report. When I finished it, I submitted a document with almost 70 pages and felt anxious. It took a little over 40 days to receive a response and learn that I passed on the first attempt. Despite the waiting time, it was worth it.
What I Studied
Here’s where you cry and your mom doesn’t see it.
To start my studies, I began by reading various summaries and tips about the exam, some of which provided possible study paths. Additionally, I visited the INE website to identify the recommended topics for study, since I only opted for the exam voucher and not the full course.
After that, I consulted friends who had already taken the INE course to get information about the study path recommended by the platform. I also discussed with my friends who were preparing for the exam together, and together we developed a personalized study plan. In the end, our study roadmap included approximately the following topics:
- Information Gathering
- Cross Site Scripting (XSS)
- SQL Injection (SQLi)
- Enumeration
- Authentication and Authorization
- Session Security
- Web Services
- CMS (Content Management Systems)
- Report Writing
This path provided us with a foundation and helped us prepare comprehensively for the exam.
Conclusion
The eWPT is a fun exam and in my case, it was very beneficial. I recommend it for anyone who wants to deepen their knowledge in web security. However, remember that true learning comes primarily from your dedication, not just from the exam itself.
And finally, we passed this sh*t! Time to celebrate HAHAHA! LOL!
