Dan [the] Salmon

GWAPT Certification Review

Certifications

In an effort to gain another cert this year, this past month I took SANS SEC542 and completed the GIAC Web Application Penetration Tester (GWAPT) certification.

For context, this class is the entry-level webapp pentesting course SANS has. I have 6 years of experience doing AppSec testing so I knew going in the material would be mostly review with hopefully a few unfamiliar topics.

Class

The class was available in a few different formats:

Since my employer isn’t approving training travel currently and because I’m bad at scheduling time for self-paced training I opted for the Live Online format over the course of a week. The class was being taught in a conference room somewhere to in-person students with the Live Online folks attending remotely via Zoom.

The instructor was great and the information was laid out in a logical sequence. Some of the labs were a bit simplistic but overall they were good applications of the material.

The class ran Monday to Saturday with the last day dedicated to a CTF. I was unable to make that last day, but it was fine since all the material had been covered by the end of Friday’s session.

Study

After the course ended, I started creating my “index”; let me explain what this is.

Before the class begins, Live Online students are mailed printed and bound copies of all the slides for the course including detailed speaker notes for each slide. Since all GIAC exams are open-book and open-note, you can bring as much printed material as you’d like when taking the exam while following the rules. Most people create what is known as an “index”: essentially a Table of Contents for all the topics covered in the class. This method is recommended by many GIAC test-takers and even SANS instructors. Everyone creates their index a bit differently, but in a nutshell you:

So for example, here’s a row from my index

TopicBookPageDescription
Broken Function Level Authorization (BFLA)313Invokes functionality for which a user is not authorized. Function accessed via API

For me, this method works very well since it feels like cheating to create a faster way to look up the exam answers. In reality, it is completely allowed and the act itself of creating the index is a way to ensure you understand each term.

Practice Exams

I didn’t have much time the following week after the class to create the index, but eventually I did finish it. The next day I took my first of 2 practice exams included in the course. I like to take the practice exams as closely as possible to how the real test will be. That means no electronics, nothing on my desk that isn’t allowed, blocking out the entire 3 hours allowed, and getting my house as quiet as possible. The only deviation from the “real” test is I had a blank piece of paper on which I recorded any topics that were referenced in the test that weren’t in my index. After 2 hours, I finished the test with a score of 96% and a list of a dozen missing index topics. I added these to the index, re-printed it, and scheduled my real test for later that week.

Two days before the test, I took my second practice test. I got a handful of identical questions from the first one and a few more topics to add to my index. After 90 minutes I ended, amazingly, with the exact same score of 96%.

Exam

GIAC offers 2 options for exam delivery methods - in-person at a testing center or online. I was considering taking it online, but in previous non-GIAC exams I’ve taken online the “cheat check” process was quite invasive requiring me to pan the webcam around the room so the proctor could ensure I didn’t have a second computer and cover my second monitor with something. Also, if you take the exam online you are completely responsible for any computer or internet issues and will need to pay a fee to re-take the exam if it cannot be completed. I picked the testing center nearest to me.

The testing center process was unremarkable. It was half testing center, half public school (?) on the end of a strip mall. I wish I would have been allowed to bring my own noise-cancelling headphones because the ones provided were too small to fit over my gigantic head. I felt a little bad about being allowed to bring so much printed material with me in a room where 4-5 other people were taking tests that apparently didn’t allow any notes.

After 90 minutes, I submitted the last of 82 questions and was immediately greeted by a page saying I’d passed with a score of 99%. I couldn’t help but laugh at the score, but I’m not sure why. I was confident going in that I would pass, but I didn’t think I’d only get 1 question wrong.

I later got an automated email from SANS informing me that my score qualified me to “learn more about” the SANS Instructor Development Program. I’ll need to do some research later into what exactly that is.

Exam Tips

Difficulty

Having completed the OSWA, I can say the coursework and especially the exam for that certification was orders of magnitude more difficult than the GWAPT, even though they both purport to be “entry-level” web application pentesting certs.

I think this class would be easily passable by anyone with at least a year of webapp pentesting under their belt. I also suspect developers making a switch to security would find it totally doable.