This was my ninth GIAC cert and probably the toughest one I've taken. Largely because I'm not super comfortable with SQL. I ended up passing with a 80% on the test and hope that if I can provide anything to the community, I should try at least.
Method: On-Demand
Time of Study:100 days (STI Program)
Additional Resources: https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470Size of Index: 54-pages
Day 1 Expectation: Unlike most of the other courses I've taken, this one didn't start with things like Methodologies, Report Writing, etc. Instead it started you off right away on things like Open-Source information gathering, Google Searching, DNS zone transfers/querying and the like. Lots on HTTP and HTTPS along with cipher reading and Heartbleed.
Day 1 Advice: Labs were fun and you definitely should know what you are looking at with DNS and the different commands within dig. Heartbleed lab is informative and know what and how heartbleed works. Google searching techniques and researching Google Dorks is a must.
Day 2 Expectation: Scanning with Nmap. Profiling with Netcat. Spidering a website. And Authentication/username harvesting.
Day 2 Advice: Be ready to read and interpret nmap results. Know what Netcat is going to throw out to you when you run it against a server. Understand default pages and what is contained on them from a web server. Read over the Authentication stuff a few times to ensure you understand how they work and what to look for within no only Responses, but also the various username/password boxes.
Day 3 Expectation: This is the injection day. Command Injection, LFI/RFI and SQLi are the money makers. Also at the beginning of the Day 3 are the session management.
Day 3 Advice: This is your money maker book. I think I had more questions come out of this book than any other. Know how to read Cookies. Know what to identify Directory Traversals and LFI. SQLi is self-explanatory. Know your statements!
Day 4 Expectation. This is your secondary money maker. 2nd most questions since you are dealing with XSS in it. You will also cover HTML Injection, AJAX and XXE as well.
Day 4 Advice: Know JS and XML as much as you can in terms of reading it. You are going to see a lot of stuff come your way in this book. I kept getting tripped up with XSS and injecting remote code and how it looked.
Day 5 Expectation: CSRF, Python Scripting, various tools (w3af, WPScan), and the pen testing methodologies/report writing.
Day 5 Advice: Know python and index it hard! Same with CSRF. Do all the labs in this book at least 3 times and make sure you understand what the tool is doing and what it is reporting.
Day 6: This is the Netwars stuff. Typically I don't do these while doing OnDemand because it isn't like you are winning a coin and I never feel they really "teach you" anything new. However, I did it with this class and it was a godsend!! Do it!!
Overall Impressions: Honestly, this was probably my favorite of any of the SANS courses I've taken. The material is pretty concise and the instructor they recorded was humorous and methodical in their lecture that you could understand it. I referenced my coursebooks for 99% of the actual test. I used the secondary reference only for like 2 questions and that was because the answers were not really sticking out to me. I feel like the labs do a great job enforcing the material and helping the student come to an understanding of what the tool is doing and not just "use this tool." Very much applies to what I wish to do when it comes to bug bounties. This is by no means a super advanced course. However, if you don't have a good understanding of SQL and other programming languages -- I can see where people would get tripped up.
Index Advice: I do my index a little differently. I went and got the statements for the 3 databases they reference and put them all in there. I also break down things like what each line in a HTTP Response Header are and what ones are mandatory. This is naturally all in the book, but when it comes time for a test -- I can reference 60 pages quicker than looking for it in a book. My index was in-depth. I basically put each python command within the index so when the question asked what a command did, I could find it fast.
Overall, it was a fair test. What I got wrong were just things I didn't know what it was. I finished with about 40 minutes to spare. So I could have looked up more questions. Glad this one is over! Pen Testing Certificate through STI is complete!
