![]() ![]() The solution would magically include the resource, but the resource was not available in the lab itself. ![]() ![]() In other cases the target didn't even present the resource that the solution exploited. In many cases the solution was exactly what I was trying to do, but even when it wasn't, the provided solution didn't work either. I had originally put them in the above category of labs thinking I just had the wrong solution, but after becoming desperate to solve, I went to the solution for the answer. There were other labs that were just broken. This is dangerous for less experienced learners because it teaches them that it has to be done one way, when in reality the labs should be able to be solved in many ways. There were several labs where I know I had a payload that should have worked and could confirm it, but because it wasn't what the lab was built to detect, it failed to solve. One of the things I encountered on several occasions with the labs was that the solution was not about having a right answer, but having Portswigger's answer, which was unrealistic. While the academy labs are great, they are not without issue. This coming from someone that has been writing code for almost 30 years and doing application security for roughly a decade. While not all of it is Practitioner level, there was some stuff rated at the Practitioner level that caught me by surprise due to it's difficulty level. The depth in which Portswigger goes with this stuff is kinda nuts. If you have to use the solution, that's an indicator that you aren't ready to move forward, or the lab is broken (more on this in a bit). Try to do the labs WITHOUT looking at the solution first, and only use the solution if you are completely lost. Review the content for each vulnerability and do the labs. I'd say this is accurate based on my experience. Portswigger recommends that you be comfortable with ALL Practitioner level labs before moving forward with the certification process. If you're a practitioner in the field, you should review all of this content, even if you have no intention on attempting the certification. Regardless, the Web Security Academy is really good stuff. I want my students to know how to practically apply the knowledge. I don't just want my students to have more knowledge. That's the gap I try to fill with my classes. You'll learn a lot about specific vulnerabilities, but you'll have no idea how to actually approach an application. There is very little here in terms of process, mindset, and tooling. This training is designed around specific vulnerabilities. It sounds like I'm giving you a reason not to take my classes doesn't it? Well, not quite. On a technical level, this is the best web application security content you can find, and it's completely free. ![]() If you've taken one of my classes, then you've heard me rave about this. The certification exam preparation is really all about the Web Security Academy. But this isn't about any of that, so the remainder of this article will focus on the first two steps of the process. I just found it amusing.Īt a high level the process is fairly simple with the actual purchase and setup for the certification exam being the most complex given the nature of remote virtual proctoring. I found it funny that the process stopped at them getting paid as there was no 4th step or beyond to actually take the certification exam, receive a score, etc. Portswigger documents the following process for becoming a Burp Suite Certified Practitioner: I am a user and consumer just like everyone else reading this. I get no compensation from Portswigger or any of their competitors. No one has in any way influenced the things I say here. This article only includes facts observed and opinions formed by exercising the documented certification process. This article does NOT include spoilers or a walk through of the practice exam. Below are my takeaways from the process and thoughts I want to share with others that are considering an attempt at becoming a Burp Suite Certified Practitioner. As a Burp Suite enthusiast and self-proclaimed subject matter expert, I decided to exercise the certification preparation process as a way to sharpen my skills, provide insight to others on the preparation process, and ultimately decide whether or not I would give the certification exam an attempt myself. Portswigger recently announced their Burp Suite Certified Practitioner certification. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |