GWAPT Challenge Passed

I had just passed my GWAPT challenge yesterday with a score of 76%. I know it isn't high but without official materials and books, definitely any tester is in for at the losing end when challenging the open book certification.

As I was busy with my new Job, I had took 8 months to complete the book Web Application Hacker Hand Book(WAHH) + Revision before going for the challenge test. I had also spend some time researching online on other people experience of taking GWAPT, and printed out various tools that could possibly been covered in GWAPT exam/ SANS course but not covered in WAHH, and read up on the first chapter from the book Python Violent in preparation for the exam.

For the those who are new to the system, challenge Exams comes with two practice exams like any other GIAC Exam that comes with course.

For my first practice, I had only score 70%, which is just the passing score; After the exam, I review my open book materials, apparently WAHH is kind of lacking in certain aspect, just as Session Tracking, HTTP Authentication Methods, various methods use for SQL injections, dns lookup tools.

I spend the next week printing them out and studying up on them before going for my second attempt, which I score a not impressive score of 74%. A few XSS javascript got me, I also found a few uses for the book counter hack reload and decided to keep it for my real exam.

I spend another week reading on XSS javascript, before going for the actual exam and got a score of 76%. Nevertheless, I was please to be able add this certification to my collection of 8 other cert, as well as earning CPE for CISSP, CEH and renewing one GIAC cert.

The book I have use for this are, Web Application Hacker Handbook, Introduction Chapter for Violent Python, The reconnaissance chapter for Counter Hack Reloaded and 100+ external notes for various tools printed from various sites found via google online.

Overall in terms of difficulty base on all of my challenge certs, I would rate GWAPT in this order from easiest to hardest
GCIH -> GPEN -> GISP -> GSEC* -> GWAPT -> GCIA

*While GSEC is easy, its very difficult to challenge without appropriate experience and books

I would not recommend taking GWAPT cert as the first certification, minimum I would recommend one to get familar himself with GCIH and GPEN domain before intending to take GWAPT.

Find more posts tagged with

Comments

Zoovash

Congrats!
Regardless of the score, it's always an achievement to pass a GIAC exam without the official materials.

cyberguypr

Congrats on the pass!

khiemkp

Congrast

5ekurity

Congratulations and thanks for the write-up!

cgrimaldo

Congrats! I always enjoy reading your posts because they are always full of content.

impelse

Congrats, also good information.

LR0926

Thanks for the write up and good information comparing the other certs and their relative difficulty!

LionelTeo

I will still rate GCIH as the most easiest to challenge exam as compare to other certs, first would be the overlapping content between CEH and GCIH, secondly would be that Ed Skoudis (course author for GCIH) had written a book call counter hack reloaded which at least contains 70% of the course material itself. Adding on with an incident handling book would allow you to net this cert easily and by pass HR Department looking for candidates with GIAC Certs.

ccnpninja

Congrats!

billyr2009

Congratulations Lionel!!

luckypen

Congrats...
I'm really interested in going for the GWAPT. My question is: Do I need to purchase the study material ?
I have the OSCP certificate and I have done a bit of pentesting. I'm wondering if anybody here has passed the exam without buying the 5k+ study material ?

Also, is there a place where i can find some sample questions? I want to get an idea of what type and style of questions will be on the exam.

LionelTeo

I have passed GWAPT without using the official study material. Challenge exams means taking the exam without it. The only book I used is WAHH (as stated in the post) and printed materials found via google for the exam.

xXxKrisxXx

luckypen wrote: »

Congrats...
I'm really interested in going for the GWAPT. My question is: Do I need to purchase the study material ?
I have the OSCP certificate and I have done a bit of pentesting. I'm wondering if anybody here has passed the exam without buying the 5k+ study material ?

Also, is there a place where i can find some sample questions? I want to get an idea of what type and style of questions will be on the exam.

Hey you don't need the official SEC542 study material, but it'll help out a lot. As LionelTeo mentioned, he passed it without the official study material and mentioned what he used to study with. The OSCP is great, but only a small section of PWB/PWK covers web application attacks. They go more in-depth on attacks and a few tools (ZAP Proxy, BeEF, etc) in SEC542. A few questions may be geared towards those tools. Take a look at the exam objectives: GIAC GWAPT Certification | Web Application Penetration Testing

There's no sample questions for the exam. If you purchase an exam voucher, you get 2 practice tests with sample questions. You use your scores from those practice tests to gauge your readiness for the proctored exam (obvious here). You also use it to see where your weak and what you need to study up on. In GIAC Proctored Exams, the practice exam questions aren't going to repeat and be on the real exam. Good luck!

luckypen

LionelTeo wrote: »

I have passed GWAPT without using the official study material. Challenge exams means taking the exam without it. The only book I used is WAHH (as stated in the post) and printed materials found via google for the exam.

xXxKrisxXx wrote: »

Hey you don't need the official SEC542 study material, but it'll help out a lot. As LionelTeo mentioned, he passed it without the official study material and mentioned what he used to study with. The OSCP is great, but only a small section of PWB/PWK covers web application attacks. They go more in-depth on attacks and a few tools (ZAP Proxy, BeEF, etc) in SEC542. A few questions may be geared towards those tools. Take a look at the exam objectives: GIAC GWAPT Certification | Web Application Penetration Testing

There's no sample questions for the exam. If you purchase an exam voucher, you get 2 practice tests with sample questions. You use your scores from those practice tests to gauge your readiness for the proctored exam (obvious here). You also use it to see where your weak and what you need to study up on. In GIAC Proctored Exams, the practice exam questions aren't going to repeat and be on the real exam. Good luck!

Thank you for the reply guys.
I am currently going through the WAHH. I also plan on doing the labs the authors provide. Hopefully i can pass it. I mean the learning curve cant be harder than OSCP xD

LionelTeo

The labs is quite expensive, for 7 dollar per hour, I wasnt really into them. I would recommend to try webgoat first and follow up with whatever gap that webgoat didnt offer on their online lab.

luckypen

LionelTeo wrote: »

The labs is quite expensive, for 7 dollar per hour, I wasnt really into them. I would recommend to try webgoat first and follow up with whatever gap that webgoat didnt offer on their online lab.

ya thats true. I will definitely look into the webgoat.
Its just that I heard the labs for WAHH are more advance than webgoat. I will still do the XSS and CSRF labs because I really need to be good at those not just for the cert but for the work I do.