eWAPT v3 Review

si20si20 Member Posts: 543 ■■■■■□□□□□
It's very hard to review the course because quite honestly, there are highs and lows, like any course. I'm going to flip the review aroundand start with what I see as the negatives. There are a few but I'm not trying to bash the course as I did enjoy it, I just want to be 100% honest so people know exactly what to expect.

1) Getting replies in the forum - often you'll see unanswered posts. Or people told to look in the FAQ if they ever get a reply. To me, if something is being asked so many times, it hints that there may be a problem with the current setup. And as paying members/customers, we should always get a reply. During the exam I had a query and it took 3 days of the alloted 7 to get a reply from tech support. That's not good. At all.

2) The setup - VPN'ing is a bit of a nightmare. You've got to mess with hosts files, resolver files, have multiple different VPN configs for different labs. It took me a good few hours of lab time to figure out the ropes.

3) The challenges - you never get to find out what the answer was. I completed all challenges so this doesn't apply to me per se, but I can imagine people who paid to learn this stuff then never finding out how it should be done, this might be annoying.

4) Exam - Can you pass the exam with just the material given? Hmmm.... at a push, yes. The real issue here is that the material comprises of 2,344 slides. That is a mammoth amount of slides. I'll come back to this in my positives. The main negative is that eLearnSecurity can take up to 30 days to mark your exam and give you the result. At the time of writing, I have been waiting approx 4 working days. I feel like 3 days is pushing it, but 30?! I understand a lot of people may take the course, but this is a seriously long time to wait. Your heart is in your mouth whilst you await the news. Do I need to resit? Did I do enough? Oh god I've spotted a spelling error in my report ...will I fail?

So, how did I find the course? Overall, I enjoyed it. The materials were extensive. There are videos to explain each topic and these pave the way for the labs. The labs are all practical and will have you doing something relevant to the chapter. So if you're reading about SQL injection, then you can bet that they're going to give you a lab based on what you've just learned.

Personally, I had no issues with any of the labs. The only one I got stuck on was an authentication lab, which was more because there were approx 5 levels, each one getting slightly more difficult until my brain just simply gave up. When I took a break and returned to it, I figured it out.

The amount of course material, in my humble opinion is TOO much. But this is the positive section! Yes, I know. To some people including myself, this is a huge positive because you get a lot of content explained at a low level which helps your understanding. The slight problem is when the exam hits and like me, you're trying to skim,-read 2000+ slides. During the exam I was frantically referring back to my notes, videos, slides. The final exam is a practical exam. You get 7 days to perform a penetration test and then 7 more days to write up the report.

I don't care what anyone says - the exam is rough.  It's not a capture the flag. It's not a "prove there's a vulnerability and you're good"....no, you've got to exploit things fully to earn your points. How many points or things do you need to exploit? No one knows. eLearnSecurity don't tell you. And that's a good thing and a bad thing. It's good because it forces you to keep going in the same way Offensive Security force you to keep going. It's bad because you can't gauge if you've done enough. I've heard rumors saying you only need to do X, Y and Z to pass. And I've heard rumors saying X, Y and Z will fail. And then you can fail if your report isn't up to scratch.

I think anyone who has taken the exam will be honest enough to admit it's definitely not a beginner exam for sure. It took me 4 days to get admin access and then 1 day to write the report. 5/14 days used. Your OSCP isn't really useful here. This is a webapp course based on the materials they've taught throughout. WAPT v3 could definitely be the next OSCP, perhaps they already are. But I think they'll have to keep updating the material to remain leaders in the webapp security exam space. The plus side is that the course IS practical. No guessing multiple choice answers and 25% chances of getting it right.

Do I recommend the course? I do. But I feel like the course and setup needs some polishing.

Either way, it's a good course overall despite it having some flaws. Good luck to anyone who attempts this one next!


  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    Great writeup! I'm actually starting on this one in June.
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Great write up! Covered a lot of details and questions I know many people will have! 

    Starting my journey in June as well :smile:

    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • si20si20 Member Posts: 543 ■■■■■□□□□□
    Thanks, glad it was useful! I've fixed some typos (I'd posted it from my phone!)
  • ElitisElitis Member Posts: 50 ■■■□□□□□□□
    Curious to know what the "endpoint", for lack of a better word, was for the exam? Did you need to get root access to the web server (or any shell access for that matter) at all? Or did you need to get admin access to some kind of web application account or something similar? Not looking for anything overly specific of course, just curious how web pen-testing exams like this one generally go about everything. I've taken a couple eLS exams before so I understand it's not as simple as "get root on this server and you pass".
  • si20si20 Member Posts: 543 ■■■■■□□□□□
    edited May 2020
    Basically the ultimate goal is to end up as admin of the webapp. It's a hard goal....well, it was for me. There's one specific topic that you REALLY need to understand. Not just have done the labs, but truly understand it. The exam guide says document anything you do, any vulnerabilities you find. Any tool is allowed to be used. It's quite hard to do a write-up on the successful things you've tried along with unsuccessful! I'm really hoping the results are in soon.
  • ElitisElitis Member Posts: 50 ■■■□□□□□□□
    Interesting, thanks. And I definitely believe it when you say it's a hard goal. From the reviews I've seen regarding the eWAPT, a lot of them consider it the OSCP's equivalent in terms of difficulty for web pentesting exams. And I understand having to do write ups on unsuccessful exploits you've tried. I did one when I took the eCPPT. I kept thinking maybe there was some way to exploit the box that I just didn't think of. It was nerve-racking to think I may have failed because of it. I'm sure your results will be in soon. It only took a few days for mine to come in, different exam of course, but I've heard from others even though eLS says it could take up to thirty-days, results often come back much sooner. Of course, with this pandemic going on it could take them a bit longer unfortunately.
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    Thanks for this very informative write up. Does anyone know when they released v3? Wonder how far away a v4 release might be.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • si20si20 Member Posts: 543 ■■■■■□□□□□
    yoba222 said:
    Thanks for this very informative write up. Does anyone know when they released v3? Wonder how far away a v4 release might be.
    August 2018. If they update every 3 years then August 2021 is possible. So 15 months from the time of posting. If it was 6 months away I'd probably wait, but the content is mostly still relevant, just misses XXE and JWT
Sign In or Register to comment.