GWAPT Certification Review
In an effort to gain another cert this year, this past month I took SANS SEC542 and completed the GIAC Web Application Penetration Tester (GWAPT) certification.
For context, this class is the entry-level webapp pentesting course SANS has. I have 6 years of experience doing AppSec testing so I knew going in the material would be mostly review with hopefully a few unfamiliar topics.
Class
The class was available in a few different formats:
- In-Person
- Online self-paced
- Live Online during an in-person event
Since my employer isn’t approving training travel currently and because I’m bad at scheduling time for self-paced training I opted for the Live Online format over the course of a week. The class was being taught in a conference room somewhere to in-person students with the Live Online folks attending remotely via Zoom.
The instructor was great and the information was laid out in a logical sequence. Some of the labs were a bit simplistic but overall they were good applications of the material.
The class ran Monday to Saturday with the last day dedicated to a CTF. I was unable to make that last day, but it was fine since all the material had been covered by the end of Friday’s session.
Study
After the course ended, I started creating my “index”; let me explain what this is.
Before the class begins, Live Online students are mailed printed and bound copies of all the slides for the course including detailed speaker notes for each slide. Since all GIAC exams are open-book and open-note, you can bring as much printed material as you’d like when taking the exam while following the rules. Most people create what is known as an “index”: essentially a Table of Contents for all the topics covered in the class. This method is recommended by many GIAC test-takers and even SANS instructors. Everyone creates their index a bit differently, but in a nutshell you:
- Create a table in your office program of choice
- Go through every page of every book provided
- Add a row to the table for every topic discussed including:
- topic
- book number
- page number
- short description
- Optionally add color-coded tabs for faster book navigation
- Print with gridlines on and staple the pages together
So for example, here’s a row from my index
| Topic | Book | Page | Description |
|---|---|---|---|
| Broken Function Level Authorization (BFLA) | 3 | 13 | Invokes functionality for which a user is not authorized. Function accessed via API |
For me, this method works very well since it feels like cheating to create a faster way to look up the exam answers. In reality, it is completely allowed and the act itself of creating the index is a way to ensure you understand each term.
Practice Exams
I didn’t have much time the following week after the class to create the index, but eventually I did finish it. The next day I took my first of 2 practice exams included in the course. I like to take the practice exams as closely as possible to how the real test will be. That means no electronics, nothing on my desk that isn’t allowed, blocking out the entire 3 hours allowed, and getting my house as quiet as possible. The only deviation from the “real” test is I had a blank piece of paper on which I recorded any topics that were referenced in the test that weren’t in my index. After 2 hours, I finished the test with a score of 96% and a list of a dozen missing index topics. I added these to the index, re-printed it, and scheduled my real test for later that week.
Two days before the test, I took my second practice test. I got a handful of identical questions from the first one and a few more topics to add to my index. After 90 minutes I ended, amazingly, with the exact same score of 96%.
Exam
GIAC offers 2 options for exam delivery methods - in-person at a testing center or online. I was considering taking it online, but in previous non-GIAC exams I’ve taken online the “cheat check” process was quite invasive requiring me to pan the webcam around the room so the proctor could ensure I didn’t have a second computer and cover my second monitor with something. Also, if you take the exam online you are completely responsible for any computer or internet issues and will need to pay a fee to re-take the exam if it cannot be completed. I picked the testing center nearest to me.
The testing center process was unremarkable. It was half testing center, half public school (?) on the end of a strip mall. I wish I would have been allowed to bring my own noise-cancelling headphones because the ones provided were too small to fit over my gigantic head. I felt a little bad about being allowed to bring so much printed material with me in a room where 4-5 other people were taking tests that apparently didn’t allow any notes.
After 90 minutes, I submitted the last of 82 questions and was immediately greeted by a page saying I’d passed with a score of 99%. I couldn’t help but laugh at the score, but I’m not sure why. I was confident going in that I would pass, but I didn’t think I’d only get 1 question wrong.
I later got an automated email from SANS informing me that my score qualified me to “learn more about” the SANS Instructor Development Program. I’ll need to do some research later into what exactly that is.
Exam Tips
- Take your time and read every question thoroughly. A lot of questions have at least 2 answers that sound correct at first, but re-reading will reveal important distinctions
- Refine your index as you take the practice exams. 82 questions in 180 minutes means you can spend up to 2 minutes on every question which is more than enough to look up every answer if you have a good index
- Make sure you can complete each of the labs without issue. the last 5-7 questions of the exam are “Cyber Live” questions meaning you will be dropped into a VM and asked something to exploit a vulnerability in a target system. The course lab environments will remain available for some time after the class ends if you want to do a lab again.
Difficulty
Having completed the OSWA, I can say the coursework and especially the exam for that certification was orders of magnitude more difficult than the GWAPT, even though they both purport to be “entry-level” web application pentesting certs.
I think this class would be easily passable by anyone with at least a year of webapp pentesting under their belt. I also suspect developers making a switch to security would find it totally doable.