The following review is a summary about my experience with the eLearnSecurity Web Application Penetration Testing Extreme course and certificate. This is my opinion based on my experience and not the company’s standpoint that I worked at when I did the course. Also I am not paid by eLearnSecurity.
I had a 1.5 years of experience in internal penetration testing and 3 years of system administration. I had a Bsc in Information Technology with OSCP, MCSE, NETAPP certificates and its courses. I have learnt previously the „breaking” part by myself and how the things working part also from courses and by experiences.
I chose this course with the eLearnSecurity Web Pentest course, but there was no particular reason.
I was a little bit disappointed, because of the eWPT high standard and numerous topics. Here, there were less chapters and there were no Server Side Request Forgery, Command Injection, Remote Code Execution, Server Side Template Injection and Serialization/deserialization attacks. I would introduce those to the eWPTX and put a complete HTML5 here. Maybe a third course could be also good to these topics.
I would move a basic CSRF, Command Injection and Remote Code Execution into the eWPT and remove the Flash and HTML5 topic.
The XML attacks and SQL Injection chapters were the best. I liked the organisation concept behind the chapters. Detailed explanation with examples from basic to more complex payloads for different databases and it was good to try a second order SQLi with sqlmap and the XML External Entity attacks.
I was excited about the HTML5 chapter, but unfortunately it was the worst chapter. It was just too rough and not detailed enough. It would be good to see more codes and detailed explanation with a lab exercise.
The evasion basics chapter was very good. That Non-Alphanumeric encode code is insane. I would also present basic functions such as split, reverse, char substitution, xor etc.
I have found in overall the exam easier than the eWPT, although I got stuck with one attack, but after 3 days it worked. I think there was something small that I couldn’t find (I found small typos twice), so I recreated the whole attack from the beginning.
I did the Full version and I don’t know exactly how much time I put into it, but because of the 180 days of exam restriction, I can say that I did everything in 3 months while I was working.
I think it wasn’t a bad course, but because I was disappointed in the missing attack types and HTML5, I left with bad feeling about the course.