eLearningSecurity Advanced Web Application Penetration Tester (eWPTX) Review
beniisan
Member Posts: 9 ■□□□□□□□□□
I have recently completed eLearnSecurity’s Web Application Penetration Testing eXtreme course and wanted to share my experiences.
Before taking this course I completed OSCP before, but I felt that the OSCP really lacks the depth in web application security. This was the reason that I searched for a completly web application security focused course which can be attended online and is cost-efficient (meaning it is not $5000 such as the SANS courses).
I found the Elearnsecurity’s Web Application Penetration Testing Extreme course fulfills these criteria well (The only con I found about the training that the course material gets updated rarely).
First, it shows you wide range vulnerability types (XSS, XML, SQL injection, CSRF, HTML5, etc.) with comprehensive materials to understand them, to test for them, and to exploit them with real world examples (meaning you won’t test for alert(’XSS’) and likes).
What makes the difference between this course and the WAPT (it’s prequel course), that in this course you learn much about evasion techniques (evading regexp filtering, WAF, etc) and more there are more in-depth techniques as well.
Although the course is quite comprehensive, there is still much you can learn outside of it, you have to research and explore several things, because many times there are directions and reference materials but not complete solutions. This means that you can never use tools out of the box such as running a simple sqlmap scan in the labs. You have modify a lot of things with sqlmap or write a wrapper script to feed it to sqlmap in order to exploit an sql injection. It’s quite different from Offensive Security’s OSCP „Try harder” approach, such as there is a student forum where you can get good and fast help if you need it.
Of course there are labs and an exam as well. The labs aims to have you practice the techniques which was gathered in the course materials, because of this, they are quite simple. Their main purpose to have you understand how the technique works, but nothing more. It’s different from the OSCP labs where you just have to hack all the servers in the lab environment.
I found the the exam much more interesting. It simulates a penetration testing assessment, you get the scope, objective, and 7 days of lab time to find ALL vulnerabilites on the site and then another 7 days to write a report. And you really have to find all vulnerabilites, if you forgot to write down the simpliest CSRF attack in your report then you fail. However this works without the intent to make people fail the exam, because there is a free retake, and you get feedback what kind of vulnerabilities you missed during your first time.
What I really liked in the exam, that you have enough time to research to make your exploits work during the assessment (For example I read some chapters from security related books to understand, why my attacks does not work). Opposite the OSCP exam where time is really tight, because you have only 24 hours to test, this really makes your work easier, and you can improve during the exam as well.
All in all I recommend this course to those who are interested in web security. After taking the course I understands the techniques taught much better then before. One thing for sure, my next course will be an Elearnsecurity training as well.
Before taking this course I completed OSCP before, but I felt that the OSCP really lacks the depth in web application security. This was the reason that I searched for a completly web application security focused course which can be attended online and is cost-efficient (meaning it is not $5000 such as the SANS courses).
I found the Elearnsecurity’s Web Application Penetration Testing Extreme course fulfills these criteria well (The only con I found about the training that the course material gets updated rarely).
First, it shows you wide range vulnerability types (XSS, XML, SQL injection, CSRF, HTML5, etc.) with comprehensive materials to understand them, to test for them, and to exploit them with real world examples (meaning you won’t test for alert(’XSS’) and likes).
What makes the difference between this course and the WAPT (it’s prequel course), that in this course you learn much about evasion techniques (evading regexp filtering, WAF, etc) and more there are more in-depth techniques as well.
Although the course is quite comprehensive, there is still much you can learn outside of it, you have to research and explore several things, because many times there are directions and reference materials but not complete solutions. This means that you can never use tools out of the box such as running a simple sqlmap scan in the labs. You have modify a lot of things with sqlmap or write a wrapper script to feed it to sqlmap in order to exploit an sql injection. It’s quite different from Offensive Security’s OSCP „Try harder” approach, such as there is a student forum where you can get good and fast help if you need it.
Of course there are labs and an exam as well. The labs aims to have you practice the techniques which was gathered in the course materials, because of this, they are quite simple. Their main purpose to have you understand how the technique works, but nothing more. It’s different from the OSCP labs where you just have to hack all the servers in the lab environment.
I found the the exam much more interesting. It simulates a penetration testing assessment, you get the scope, objective, and 7 days of lab time to find ALL vulnerabilites on the site and then another 7 days to write a report. And you really have to find all vulnerabilites, if you forgot to write down the simpliest CSRF attack in your report then you fail. However this works without the intent to make people fail the exam, because there is a free retake, and you get feedback what kind of vulnerabilities you missed during your first time.
What I really liked in the exam, that you have enough time to research to make your exploits work during the assessment (For example I read some chapters from security related books to understand, why my attacks does not work). Opposite the OSCP exam where time is really tight, because you have only 24 hours to test, this really makes your work easier, and you can improve during the exam as well.
All in all I recommend this course to those who are interested in web security. After taking the course I understands the techniques taught much better then before. One thing for sure, my next course will be an Elearnsecurity training as well.
Comments
-
Khohezion Member Posts: 57 ■■■□□□□□□□thanks for the review, I think your review is only the second one I've seen for this particular exam... I recently purchased the bundle from eLEARN for the PTPv4 and the WPT myself.
I do appreciate the format that eLearn provides as well... I think after I do these two ill take a crack at the OSCP again... -
beniisan Member Posts: 9 ■□□□□□□□□□Yup, I like them too, unfortunately, I can't buy the bundle, only one course per year.
But I've already chosen my next one: Practical Web Defense to complement the attack methods I learnt.
After I finished, I'll write a review about it too. -
mokaz Member Posts: 172Excellent review! I've also purchased an eLearnSecurity bundle including the eWPTX. Thought this will go further than the OSCP as well.. Really happy about your positive review !!!
On my side, what I've been a bit disappointed with was the fact that downloading all the trainings content is cumbersome to say the least. I'd have liked a complete package as an archive per training but well, downloading each file is okay as well although time consuming (do i have every files?? control again, verify, etc..)
I really didn't had much time yet, some employer certs to finish 1st, but i'll start with the ARES/eCRE training seriously in October.
Cheers,
m. -
Privacy Banned Posts: 9 ■□□□□□□□□□Shock another positive review from a company offering a prize for a review!
Not like a negative review will win imagine saying and in first place is this review and send a link out to everyone to read saying how poor it was.
Real shame a company has to scoop so low to get a free bit of advertising. -
beniisan Member Posts: 9 ■□□□□□□□□□Or maybe, because I really like their courses?
I've just registered to my 4th one... -
JoJoCal19 Mod Posts: 2,835 Mod
I really didn't had much time yet, some employer certs to finish 1st, but i'll start with the ARES/eCRE training seriously in October.
Cheers,
m.
I'm REALLY interested in their ARES course. I'd love to see a journal thread and review when you go through the course. I've not really found any reviews out there for it.Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework -
Mooseboost Member Posts: 778 ■■■■□□□□□□Shock another positive review from a company offering a prize for a review!
Not like a negative review will win imagine saying and in first place is this review and send a link out to everyone to read saying how poor it was.
Real shame a company has to scoop so low to get a free bit of advertising.
The members of this forum have been fans of ELS long before the contest and there are plenty of positive reviews here. If you don't like what they are doing, don't read the threads that are reviewing them. It is poor taste to come into someones review thread and act that way. Posting in one thread is okay to express your view, but this is the second attempt at it. -
supasecuritybro Member Posts: 206 ■■■■□□□□□□I was wondering if you think you would need to do the WPT before doing the WPXT? I am interested in expanding my knowledge of web stuff and the eCPPT covers a lot already but I wanted to do more. You think just jumping into the eWPXT will be ok?Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
Current Goal: CCSE
Continuous Education Plan: AWS-SAA, OSCP, CISM
Book/CBT/Study Material: Max Power -
mokaz Member Posts: 172I'm REALLY interested in their ARES course. I'd love to see a journal thread and review when you go through the course. I've not really found any reviews out there for it.
Yeahhh i'll do a thread.. I've read the 1st tree modules PDF's and it's well written, well posed and i like the down to earth approach of the teacher.. But really i've got so much on my table right now that I hardly leave the computers no more, which made me push a little bit further my serious ARES start... -
Khohezion Member Posts: 57 ■■■□□□□□□□For that I think it would be best to ask this on the actual elearn forums in regards to content and what not.
-
drpizzahut Registered Users Posts: 1 ■□□□□□□□□□I will for sure look into the elearnsecurity courses. Have been scoping them for awhile. It would be great to have before I go for my OSCP cert.
-
0b3lix Member Posts: 9 ■□□□□□□□□□I've also been thinking about taking some eLearnSecurity course for a while now. One major concern I have is that I am a full-time employee and their exam design seems to be incompatible to that (most exams seem to be 7 days). Can you tell me if it's realistic to complete the exam within the time frame when you're working full time, or would you need to take a whole week off just for that?
-
xxxkaliboyxxx Member Posts: 466Their courses are awesome, only problem I have which could be minor or not is the content updates. For example, SANS update their course and exams 3 times a year vs eLS. I mean you are paying 5x less so you have to weight the pro/con ratio.Studying: GPEN
Reading: SANS SEC560
Upcoming Exam: GPEN -
JensBada Member Posts: 14 ■□□□□□□□□□Hi, in response to some if the questions in here (yes, I work for eLS):
The exam gives you 7 days lab access to do the hands-on tasks, plus 7 days to submit the report. It differs slightly depending on what course/ exam you are taking. The details of that are in the exam description on our site. Most of our students attempt the exams "aside" from a job, so no problems with that at all. The 7 days period is designed to make it easy for you "especially" if you are on a job. There is also a chance for a retake in case things go wrong the first time. If you focus on the exam fulltime you can probably be done in less than a day or 2 max
We do recommend to go for WAPT first before doing the WAPTX, but if after reading the syllabus of both courses one thinks he/she has the skills to go WAPTX directly then thats ok as well.
Updates: We do every now and then update or add minor things in the course content, thats not always announced or blown up by a big "UPDATED COURSE" post. Bigger version updates come when the course authors feel that much has changed and a major update is in deed necessary. There is no fixed "3-times a year" schedule for that.
Download of material: Thanks for the comment, we are looking into finding ways to address this better.
Yes, we are running a review contest where we look for HONEST reviews, not "I love it so much" stuff. We want to find out what and where we can improve, so we do actually look for the things our students feel can be better.
We do have a forum on our site too, this is a good place for course related questions or even things related to exams...
There are some reviews out there for ARES too, or the eCRE exam. Google is your friend...