The following review is a summary about my experience with the eLearnSecurity Web Application Penetration Testing course and certificate. This is my opinion based on my experience and not the company’s standpoint that I worked at when I did the course. Also I am not paid by eLearnSecurity.
I had a 1.5 years of experience in internal penetration testing and 3 years of system administration. I had a Bsc in Information Technology with OSCP, MCSE, NETAPP certificates and its courses. I have learnt previously the „breaking” part by myself and how the things working part also from courses and by experiences.
I chose this course, because I wanted to fill out my blank spots and have a certificate in web application penetration testing that had hands on exam, because I hadn’t had time to search for everything.
You can see what are the chapters and what you will learn in the syllabus. The course breaks down the material in reasonable chapters, and has a little connection to OWASP TOP 10. I liked how it is organized and each chapter completely builds up and explains the attacks. It starts with the concept and than shows an example with the complete payload how does it look like behind the scene. You will also get a little information how to defend it and some additional references, so you can move further. You will have lab exercises from basic to more hard level to try what you learnt in that chapter and sometimes real life examples also without written solution. For example, tell you what is Cross-Site Scripting and its types, show where does it occurs, show a basic payload and show the payload in context with the complete source code behind it and what will happen. You will have a couple of labs with a basic example and a little bit more hard example. I like this complete presentation of the attacks. Definition, attack anatomy, defend, references and lab exercises.
There is a Penetration Testing process chapter in the beginning which will give you a basic overview of what is happening before, during and after testing and how to write a report. I think this is a huge plus and big help for understanding what can be expected from a penetration tester at least when he or she will start to work. I also liked that there is a basic HTML5 and Flash chapter.
I missed a basic chapter about what command injection and remote code execution are and it would be great to have them. And It would be great also to see more on scoping such as how much time will take to perform a test and what to ask from the client and some tips and tricks like start to write report during testing or how to organize what you found (mindmap, colourful notes etc.) like this video https://www.youtube.com/watch?v=I8AhfDEKUQ4.
I don’t remember too much about the lab exercises. I rushed through them, because I already had experiences most of the vulnerabilities.
The exam is not that hard, but you have to follow a methodology and use everything that you learnt in the course. If you don’t do that you will fail and have a hard time. You can’t emphasise enough that this is a penetration testing and not hacking the web application or CTF. First I forgot this and stuck, but I got back to square one and applied everything in the course and passed the exam. I have passed in the first time, so I don’t know too much what will happen if you got back and have a second week to find the missing vulnerabilities.
I liked the idea to perform a hands on test and you have to write a report (although I don’t like to write reports) about your findings. It is not a CTF to find one specific something, rather multiple vulnerabilities that you have to find and report all of them and not just the high risks ones.
You have a week for the hands on exam and one week for the report and no multiple choice of questions. If you fail, you will have one more week to find the missing ones. In real life most of the time you won’t have this much time (of course depends on the web application), but you will get a close feeling of a real project.
A quick note that it has a forum that is useful to ask about chapters from course, lab exercises and read about other people problems and solutions.
I did the Full version and have a lot of lab hours remain, because I didn’t do all the labs. I don’t know exactly how much time I put into it, but because of the 180 days of exam restriction, I can say that I did everything in 3 months while I was working.
In summary I’m happy that I took this course, because I got what I was looking for: certification with a hands on exam and removing the blank spots in the basics.
If you have no or minimal experience in web application penetration testing and would like to do a course that completely explains and break down the basics with examples for you and has a more realistic exam than this course is for you. If you have at least one year of experience in web application penetration testing than you should ask for a demo to check how much you miss and it is worth it to pay to fill out the blank spots or not (or you will just pay with your free time for searching and reading it on the Internet). If you just looking for bypassing the HR filter than it is not for you. I think it is not yet recognised as much as OSCP, GPEN, GWAPT or CEH at HR. If you want more check the Extreme version (I’m trying to write a similar review also about it).