GWAPT passed

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
It's been about four months since I signed up for SANS SEC-542, Web App Penetration Testing and Ethical Hacking. My primary motivation for this particular course was due to my long-standing knowledge gap in the web applications area. If I'm to be configuring WAFs, load balancers, and IPS sensors, it would be highly beneficial to understand how applicable these tools are in defending against common web attacks such as XSS, CSRF, various injection techniques, etc..

To start off, I have no development background. I don't write JavaScript, Python, or PHP for a living in any capacity. I knew this would be a hindrance going in, but I have to face the music at some point in my career. I also don't have a web-layer mindset as I'm still very much more used to the packet-level, thinking in terms of addresses, ports, layer 4 headers, etc.. I figured this course would be a good stretch for me. The only thing in my background that would be of any help is some understanding of HTML from building my small websites over a decade ago.

542 follows a pentesting methodology: recon, mapping, discovery, and exploitation. There are lots of tools and lab exercises throughout the class. The instructor (Kevin Johnson) used SamuraiWTF as the basis for the lab work. He's one who created SamuraiWTF after all, so who better to present the material. The OnDemand course I took had lots of his stories, opinions, anecdotes, as well as the usual drinking-from-a-firehose flood of information one would expect from any SANS course. There's a lot to absorb and if you come from a network infrastructure role like I do, it can get pretty overwhelming.

I typically go through a SANS course within a few weeks and follow-up on the GIAC exam a month later. In my current job, I have much less time to devote to continuing education so it took me practically the entire four months of my available OnDemand time to get through it, plus prepare for the exam. And for someone like me who isn't used to thinking in terms of HTTP, AJAX, database queries, and web services, it was painful. I must have listened to the MP3 sets at least four times through during my commutes and it still wasn't sinking in as much as I wanted it to.

The course touches upon scripting languages such as JavaScript, Python, and PHP so one can recognize the basic structure when looking at page sources or examining content through an interception proxy. While I believe this is a crucial / mandatory skill for a web app pentester, 542 doesn't really expect you to become a developer or even a competent scripter from this class alone. It's not intended to make you a coder.

The class did open my eyes to and clarify many aspects of web applications which were either previously vague for me or unknown, such as SOAP, JSON, AJAX, Flash / ActionScript, same origin policy, etc.. My understanding on these areas are more refined now and if I'm at another con where people are talking about them, I'll at least have some idea of the conversation context.

But this course will not turn anyone into a pentester overnight. If you're completely new to web security, you're not going to come out of the class ready to perform professional vulnerability assessments for clients. I just passed the GWAPT exam and even I wouldn't hire myself for such a job. However, I think the material in 542 is pretty solid and covers a wide range of topics which are important for knowing how to approach such work.

The exam itself was the newer 2-hour, 75-question format. Unlike previous GIAC exams that I've taken, many of the questions in the new format will require some thought and analysis to answer correctly. There are a few which you could reference in the course materials, but a lot of them require the examinee to put together adjacent learned-subjects to formulate the right path. This is a welcome change.

Another change in the new format is that the counter representing questions answered correctly / incorrectly are only updated every fifteen questions, unlike previously where it updated after every question, forcing someone like me to keep a hawk-eye to check my progress after every answer submission to gauge my exam survival rate.

I finished the GWAPT exam in a little over an hour and I barely squeaked by the ninety-percent mark with a total of 90.67%. Before taking the exam, I had a strong feeling that I could easily fail this one as I've heard from others that the practice exams and the real ones were noticably different in difficulty. I got 93% on the one practice exam I took a few nights before. This was the first time where I did worse on the real exam compared to my practice version. However, there were some very good questions on both the practice and live exams that really made one pause and analyze the screen output. I felt these were the type of questions worthy of being on GIAC exams. There were a few which were way too obvious what the answer was, but overall the quality of questions seemed to have improved. Either that or web app stuff just really challenges me, even if it's first-grade level stuff.

Another thing to keep in mind is that in a few days (as of this writing), GIAC exams will no longer be done through Kryterion, but rather Pearson VUE.

I still think there is no substitute for actually "doing" the work and being able to demonstrate it. For this reason I think Offensive Security's approach to testing is much more realistic, although there's a place for SANS-style instruction. There's also an advanced version of 542 (642) which comes out soon:

https://www.sans.org/security-training/advanced-web-app-penetration-testing-ethical-hacking-5036-tid

Although I'm no pentester, I still think I got a good deal out of 542. Going through it hurt, but I somehow made it. It took quite a bit of mind-numbing persistence to stay focused as a lot of the material didn't click naturally for me, but that's just a shortcoming I have to deal with. For the moment, I'm really, really SANS / GIACed out. This is my fifth GIAC cert and instead of going for another cert, I need to read normal infosec books and spend more time applying knowledge that I've learned in all these courses. Otherwise it's going to evaporate quickly.
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
«1

Comments

  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Thanks for the synopsis. I found your comments useful.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Wow, it takes some courage to walk into an advanced, software-centric course knowing that you have no software development background. As you have shown, having first-hand experience with designing/implementing/debugging software isn't necessary for learning application pen testing, but it sure helps speed up the understanding of what you are learning. With that background, you would also better understand the mentality of your adversaries, who are definitely software developers.

    And don't cut out on SANS now! Having the GSEC, GCFW, GCIA, GCIH, GWAPT now qualifies you to go for the GSE. This is exactly what you need to put what you have learned into practice! icon_thumright.gif
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    While going through 542, I kept thinking to myself that if I only knew JavaScript better I could really understand the potential scope of exploitation that can be carried out. But if anything, a good takeaway is that all personal Internet web surfing should be done through an interception proxy. It's enlightening and educational.

    I'm actually in a position in a company that allows me to explore the subjects I've been studying these last couple of years for practical hands-on experience. It's just a matter of time management to be able to get things done. That's probably the best way to prepare for an eventual GSE attempt. I'd sure like to just have all my GIAC certs renewed with just a GSE pass, but that exam looks quite insane. If I could achieve both a GSE and a CCIE, my resume would start glowing. Whether if it means I can actually deliver in the real world after I experience a mental meltdown from all those years studying constantly, that's another story altogether...
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    Almost review Docrice. Of the 5 SANS certifications you have, which one did you enjoy the most?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    My first gut-answer would be the GCIA, perhaps because I relate to that subject more than others. This would be closely followed by either the GCIH or GCFW.

    By the way, it previously took several days for the certification to be listed under your name on the GIAC website. After I passed the GWAPT exam, it was there on the same day ... perhaps within the same hour. Looks like they streamlined the process on the back end.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    I hope to take my 1st SANS course this year but I have no idea which one I would want to do. GWAPT is automatically out of the running lol Web app stuff scares me a bit, knowing I've never done anything related to development.
  • ipchainipchain Member Posts: 297
    Congrats on the pass and thanks for the excellent review. I personally felt GWAPT (SANS 542) covered the basics, but the course lacked in content. I regret having bought the course and should have saved the money for SANS 642, but you live and learn.
    Every day hurts, the last one kills.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    I decided to sign up to take the exam this Saturday based on your review. I'm curious. How close to the real exam is the practice. I haven't taken a CBT exam before so I was wondering if the experience on the practice is the same. I also am leary because its open book.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    In my personal experience, the real GIAC exams were pretty close to the practice versions. However, others have reported that the practice exams were very different (or felt easier). Perhaps sitting the real exam makes one self-conscious that "this is the real deal" and creates some degree of apprehension. Or maybe the question pool on the exams that I just happened to get ended up being similar to the practice versions. Who knows.

    For me, it was also knowing that if I fail the exam, I'd have to shell out another $500 to try again (or whatever the re-take cost is). That feeling in the back of my mind doesn't help either.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Thanks. That's helpful to know. I'm aapprehensive about not knowing what it may be like. I would have preferred a simple paper based scantron. The realtime -time scoring and open-book concept is throwing me off.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Open book just means that you have opportunities to find some answers to some nit-picky questions (if there are any). In the past, there were questions that asked specific things such as (for example) command-line switches to tools. These days, a lot of the GIAC exams have half of the amount in both questions and time length to complete the exam ... but the individual questions themselves are more "cognitive." You'd have to fundamentally know the overall principles and core concepts of the material well enough to answer the question. The book reference is nice for some things, but there might be more analysis and thinking required.

    The score only gets updated every 15 questions. It used to be every question.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • laughing_manlaughing_man Member Posts: 84 ■■□□□□□□□□
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    I've taken the first practice exam for the GSEC, and while I think the format is fine, I'll be surprised if the actual exam items aren't a good deal more difficult. I expect practice exams to contain "teaching questions" designed to evaluate the knoweldge of the exam candidate, while the actual exam items are designed to be far more challenging. The major exception to this I've seen is where practice exams contain actual exam questions there were removed (obsoleted) from the exam pool.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Good luck with the GSEC. Not sure if the same methodology for question pool selection is the same as in the GWAPT. As it turns out I thought that the real exam was similar to the practice. This was the first CBT that I have ever taken - I found the scoring and inability to browse questions a bit disconcerting. But I guess thats what forward-progress is about icon_smile.gif@docrice - thanks for helping set my expectations.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    docrice wrote: »
    The score only gets updated every 15 questions. It used to be every question.
    The is probably because GIAC realized that that indicating (in)correct answer selection on every exam item only helps the people attempting to memorize the questions to make ****. I still don't understand why they think they need to display the score tally during the exam. It's like an added distraction to increase the level of difficultly by psyching-out the exam candidate. I may just bring a yellow sticky note to cover that part of the screen during my exam.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Oh - that makes more sense - I thought maybe it was GIAC's way of competing with ISC2 and ISACA to see which organization could generate more anxiety for their candidates. Whereas - ISC2 and ISACA makes you wait 6 weeks, my theory was that it was one-upsmanship and GIAC was trying to give results every 15 questions to as you put it - "psyche out" the exam taker.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'm assuming you passed the GWAPT, in which case a congratulations is in order. How did you gauge the difficulty of the exam and what was your previous background and / or experience in the subject matter?
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • guyfawkes101guyfawkes101 Registered Users Posts: 2 ■□□□□□□□□□
    Many congrats on passing the course. Can you elaborate and provide your thoughts on GCED / GPEN courses as well. I have extensive experience in both network and app side of pen testing but I am looking to do one GIAC cert which covers advanced general aspects of info sec. I found description of GCED appealing to what I had like to get although it doesn't seem to be much popular.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I definitely don't hear much about the GCED. If your pentesting experience is on the advanced level, I believe SANS has a course offering that's beyond 560 and 542:

    https://www.sans.org/security-training/advanced-penetration-testing-exploits-ethical-hacking-1517-mid

    https://www.sans.org/security-training/advanced-web-app-penetration-testing-ethical-hacking-1641-mid

    Most of the "advanced" GIAC certs are specialized.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    docrice wrote: »
    I'm assuming you passed the GWAPT, in which case a congratulations is in order. How did you gauge the difficulty of the exam and what was your previous background and / or experience in the subject matter?

    Thank you. I passed with a 97.33%. I am still trying to decide if I thought if the exam was difficult. Mentally, I was having a hard time with the exam being openbook and my lack of experience with CBT's. I am very used to a technique of taking exams where I would markup and go back to review so it threw me off.

    As for my background, I have over 20 years of IT experience. My skillset can be characterized as being a generalist and for most of the past 10-15 years,I have been in management or leadership roles so I dont get the opportunity for much hands-on work. Most of my recent roles have been in risk and infosec.

    I suspect that because I do have a software engineering background that the made it easier for me.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    That's a very strong score indeed. Can't get much better than that. Maybe you missed one question out of the whole exam. I'm pretty sure your software engineering experience helped a lot in terms of understanding the logic involved in looking at web applications.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • I2SecureI2Secure Member Posts: 13 ■□□□□□□□□□
    Nice Post ,,,, i will be also preparing same
  • holysheetmanholysheetman Member Posts: 113 ■■■□□□□□□□
    bringing this thread back to life.

    Any one around that's taken the 542 course (and the exam) along with having passed the CISSP? comparisons you'd like to share? I'm thinking the GWAPT is probably more technically oriented than the overall general questions you get in a CISSP exam.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    I would be interested to hear comparisons as well.

    I personally did not find the GWAPT more or less challenging exam. To be honest, I felt that the exam was setup so that it is almost impossible to fail if you are reasonably prepared. To me, the GWAPT was about the same in technically difficult as the CISSP.

    As I recall, the CISSP was a lot more mentally challenging for me because of the breath of topics and the sheer length of the exam. The GWAPT was a breeze in comparison.
  • McFlyMcFly Registered Users Posts: 4 ■□□□□□□□□□
    Hi, i need some help from any person....i´m trying to get the GWAPT certification, but the cost of the official books is too high for me...Is there any possibility to get the GWAPT official books from Internet? I only saw the AudioBook file available on the Internet.....

    In the case that is not possible to find the official books, what others books should i read to prepare the GWAPT exam?


    Thanks in advance!
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    SANS training material is only avaialble directly from SANS. Anything you find on the Internet, other than on sans.org, is either 3rd-pary (e.g., someone's notes from a SANS class), pirated, or faked. Using illicit SANS materials to achieve a GIAC certification is in direct violation of the agreement you must sign with GIAC to take the exam, and will result in your GIAC certification(s) being revoked.
  • McFlyMcFly Registered Users Posts: 4 ■□□□□□□□□□
    Ok, fine....is there any way to prepare the GWAPT certification without the official books (and official training courses)? What other books should i read for this?

    Regards,
  • Pankaj_SinghPankaj_Singh Registered Users Posts: 2 ■□□□□□□□□□
    I also passed GWAPT (Sec-542) . Like SANS-Style icon_cool.gif
  • diggitlediggitle Member Posts: 118 ■■■□□□□□□□
    You getting a 90.67% should tell people its a hard exam. I would think having an arms length of books to take in would net a 100% by everybody. I've actually seen people fail these type of exams in spite of being able to take books in.
    c colon i net pub dubdubdub root
  • idjulidjul Registered Users Posts: 1 ■□□□□□□□□□
    Can someone tell me if questions found from the practice tests are in the final exam ?
Sign In or Register to comment.