+ Reply to Thread
Results 1 to 10 of 10
  1. Member
    Join Date
    Apr 2017
    Posts
    41
    #1

    Default eLearnSecurity WAPT Journey

    Hello everyone,

    Yes, I know, I have an active topic on my journey through OSCP. I start PWK in 3 days but my employer graciously also paid for eLearnSecurity's Web Application Penetration Tester course. I bought the "elite" version, so the documentation and certification voucher does not expire, and I have 130 hours of lab time that I can use whenever. Since they don't expire, I decided to enroll anyways, despite knowing my plate is already full with OSCP/PWK. PWK will still be my main focus over the next 3 months, and WAPT will just be something to fall back on during work when I have down time, as it's not as intensive as PWK/OSCP. I've been told from eLearnSec that it takes usually people a month from start to certification.

    Just a bit of background on me first: I really don't know a whole lot about web pentesting. I know the basics of XSS, SQLi, RFI, LFI, etc. and I have a few walkthroughs on my website http://www.hausec.com for Mutillidae, but I felt like I needed formal education on it instead of just watching Webpwnized's Mutillidae Youtube series (although he does a great job!).

    eLearnSecurity's format is similar to PWK. I have access to their documentation which covers several web pentesting modules as well as videos, labs, and the certification exam that I can take whenever. The modules covered are:

    1. Penetration Testing Process
    2. Introduction (Cookies, Session mgt)
    3. Information Gathering
    4. XSS
    5. SQLi
    6. Authentication and Authorization
    7. Session Security
    8. Flash Security and Attacks
    9. HTML5
    10. File and Resource Attacks
    11. Other Attacks
    12. Web Services
    13. XPath


    So far I've made it through the first two modules, which were very simple introduction to things like cookies, session management, same-origin policy, etc.

    As far as content goes, so far, I'm pleased with it. The slides are not overly-difficult to follow, but I did notice a few typos. Nothing world-ending but if you're paying $1300 for a course, you'd expect proper grammar. The videos clear up any confusion quiet well, as the presenter is very clear and articulate in his explanations (Yes, he speaks clear English). I have not started the labs yet, but it's similar to PWK where you have to VPN in. I plan on doing that once I wrap up this next module. Overall, the presentation is very nice. You're not jumping all over their website to find videos or references or the lab guides, etc. It's all in one place that is easy to navigate. The labs have walkthroughs as well, so if you're stuck, you can cheat, which is the opposite of PWK!

    This thread will be updated once I get more into it and can give better feedback, but I thought it would be worth sharing as eLearnSecurity is starting to become more popular. So far so good though!
    Reply With Quote Quote  

  2. SS -->
  3. There is no spoon. p@r0tuXus's Avatar
    Join Date
    Nov 2016
    Location
    KCMO
    Posts
    517

    Certifications
    ITIL-F, A+, S+, CCNA
    #2
    Grammer? *ahem* "quite" :P

    Great write-up of your prep, I found it helpful all ready. I wish you the best of luck and will continue to follow your progress!

    Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
    In Progress: Linux+/LPIC-1, Python, Bash
    Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Nov 2012
    Location
    Montreal
    Posts
    589

    Certifications
    OSCP, CEH, SSCP, EJPT, CCNA:Security, CCNA:R&S, MCSA:W2K8, Linux+, LPIC-1, SCLA
    #3
    Good luck on this journey! Unfortunately, the PWK course doesn't go too deep in web app pentesting so you'll learn a whole lot with the WAPT course. I suggest buying a copy of the Web Application Hacker's Handbook as it has helped me a lot learning web app stuff and it also helps with bug bounties

    Reply With Quote Quote  

  5. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,324

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #4
    Good luck! I have PTS and PTP courses and I love their material.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, BSBA - University of Florida, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning Python
    Next Up:​ None
    Reading:​ Python Crash Course
    Reply With Quote Quote  

  6. Member
    Join Date
    Apr 2017
    Posts
    41
    #5
    I'm finished with 4/13 modules. The one I just finished was on XSS. Webpwnized videos covered them quite well before this course, so I had a good idea on what to expect but this course did a very good job on going more in-depth, especially regarding DOM XSS which is something I was not sure of how to do initially. The BEEF section was also great. I knew about BEEF before, but never really tried it out. The videos are very well done and clear up any confusion on the slides. Right now I plan on doing a module a day since I have quite a bit of down time at work next week, then I'll do PWK stuff when I get home.
    Reply With Quote Quote  

  7. Member
    Join Date
    Apr 2017
    Posts
    41
    #6
    So I've been in it for a little over a week and I'm still on the SQL Injection one. Comparing this to PWK is really not fair as PWK blows it out of the water. The format for this is backwards from Offensive Security's format in the sense that Offsecs format is: Watch videos first>read PDF>do exercise which is the same one in the video

    eLS is: Read PDF>Watch a video that might cover what you read>Do exercise and then do more exercises without a guide

    While the challenge exercises are nice, they're way more difficult than the "Lab" ones that have a walkthrough. The "Lab" exercises are extremely easy and really do not need a guide for them. If anything, I'd like a guide for the challenge exercises instead.

    Now this is where the real problem in the course comes in: The lack of support. From OSCP/PWK, I've ran into issues in the labs that were answered immediately by either a forum post or an admin. That is not the case with eLS. I posted a question on the forums 3 days ago and so far It's gotten 11 views and no replies and there's no option to contact an admin. I've emailed eLS support to see if there's another option but it's almost as if you can't figure something out, then good luck. I find that a very awful business model for a $1300 course.

    That leads to the second problem I have with the course. The "challenge" exercises are of course more difficult, but they'll base the challenge off of 1 slide with 2 sentences so you get a vague sense of what is going on but have no idea how to actually fix the problem or, in my case, properly inject the SQL statement. This of course leads to more questions than answers which results in Googling stuff, but I didn't pay $1300 to get ushered into Googling stuff. I could've done that for free. The difference here is that in PWK, the videos clearly cover the exercises and the labs encourage you to think of out the box. Of course you'll have to Google things as it covers many more topics, but at least you know what to Google and how to accomplish what you want to do, instead of taking random shots in the dark.

    Overall I'm not too thrilled with it when comparing it to Offsec's stuff. I think if Offsec opened their web pentesting course to an online model they'd make a killing. I'll post an update in the future and if I ever get help from eLS support.
    Reply With Quote Quote  

  8. Senior Member chrisone's Avatar
    Join Date
    Nov 2009
    Location
    Los Angeles
    Posts
    1,569

    Certifications
    SilentBreakSecurity - DarkSideOps, CISSP, CCDP, CCNP R/S, CCNP Security (Secure, FW) , C|EH , PA ACE
    #7
    I agree with you^

    I had some stuff posted months ago and I got nothing. I have my own personal experiences with the format and quality of this course, but I will reserve that after I am done with eCPPT. I have the WAPT and ERES courses too but I do not see myself going for the certifications. I am just going to use those courses for educational purposes. After reading your experience it seems similar to my own.

    I feel there is a lot of jargon at times and sometimes the bigger picture is missed. I did get the sense of a lot of misunderstanding or unclear intentions of a specific topic. For instance.....was this topic/subject used for the exam or additional supplemental information only to further clarify or to teach the history of background of something? how will we experience said topic/subject in in the exam? how should we approach such a topic on the exam? I think clarity and structure perhaps is lacking on purpose? There could be many purposes and nothing is perfect. I will continue to say this on my comments of elearnsecurity, they have good material I have learned A LOT! I do not question their quality, it could just be frustrating to get around their structure. One has to wonder if there were trying too hard not to seem "noobish" because they throw in a lot of jargon to make it seem elite and miss out on structure.

    By no means am I bashing elearnsecurity its just a sense I get with my own experience and what other like the OP constantly say.
    Last edited by chrisone; 06-29-2017 at 05:14 PM.
    2017 Goals: Dark Side OPS: Custom Pentesting (complete), eCPPT (in progress), LFCS (in progress), OSCP
    Reply With Quote Quote  

  9. Member
    Join Date
    Apr 2017
    Posts
    41
    #8
    I definitely learned a lot so far and their quality is very good, but I definitely agree with you and think they lack clarity and structure on a lot of things. I think the most frustrating thing is, once again, the lack of support they offer. I got an email back from eLS who said that all questions should be posted to the forums but they'll forward my question to the instructor. I might hear an answer today, but who knows. That, as well as the fact (for example) in the SQLinjection module, they make a video showing the basics and stuff, then they just have a few slides on "Advanced" SQL injection & SQLMap with no video and the challenges are of course based off of the Advanced section slides. It just seems backwards for this section at least. I'll attempt the eWAPT, as it's already in my voucher and I get a retake as well if I fail, but if I fail both I doubt I'll pay for it unless they revise their content & include more support.

    I'm not saying it's a waste of money, because it's far from that, and again, the quality is good and the labs are very challenging & well-built. I'm learning a TON and I'm only half way done, but I would just expect it to be much more refined for the price.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Dec 2007
    Location
    Grand Rapids, Michigan
    Posts
    1,831

    Certifications
    Network+ : A+ : Security+ : eJPT : Life+
    #9
    I've been looking at the WAPT off and on and I think it would be helpful. I would be super confused by this stuff since I'm not a webguy and I suck at learning websec anyways.

    Thanks for posting about this course. I wish more people did different courses through eLS.
    Booya!!
    ------------------------------------------------------------------------------------------
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
    Reply With Quote Quote  

  11. Senior Member chrisone's Avatar
    Join Date
    Nov 2009
    Location
    Los Angeles
    Posts
    1,569

    Certifications
    SilentBreakSecurity - DarkSideOps, CISSP, CCDP, CCNP R/S, CCNP Security (Secure, FW) , C|EH , PA ACE
    #10
    Quote Originally Posted by Hausec View Post
    I definitely learned a lot so far and their quality is very good, but I definitely agree with you and think they lack clarity and structure on a lot of things. I think the most frustrating thing is, once again, the lack of support they offer. I got an email back from eLS who said that all questions should be posted to the forums but they'll forward my question to the instructor. I might hear an answer today, but who knows. That, as well as the fact (for example) in the SQLinjection module, they make a video showing the basics and stuff, then they just have a few slides on "Advanced" SQL injection & SQLMap with no video and the challenges are of course based off of the Advanced section slides. It just seems backwards for this section at least. I'll attempt the eWAPT, as it's already in my voucher and I get a retake as well if I fail, but if I fail both I doubt I'll pay for it unless they revise their content & include more support.

    I'm not saying it's a waste of money, because it's far from that, and again, the quality is good and the labs are very challenging & well-built. I'm learning a TON and I'm only half way done, but I would just expect it to be much more refined for the price.
    Good luck on the response, I posted my issue back in may for lab6....

    https://community.elearnsecurity.com...6-another-one/
    2017 Goals: Dark Side OPS: Custom Pentesting (complete), eCPPT (in progress), LFCS (in progress), OSCP
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks