My Experience with SANS SEC542 – Web App Penetration Testing and Ethical Hacking Course #infosec #webapp #sans542 #ethicalhacking #gwapt

Another day, another hacking post.

Today’s blog post will discuss my experience with SANS 542 for the GWAPT certification. I completed the course through the OnDemand (online) version.

Let me preface with a few disclaimers:

  1. This class was on my bucket list for the last year, so I was VERY ecstatic when I was able to enroll
  2. My job paid for this course as it’s $6k+ which includes: practice test (2x) and certification attempt. This does not include travel arrangements (flight, hotel, and food).

As you can see the class is expensive, but it’s a good course to invest into if you want to become a penetration tester.

The course is broken into 6 parts. Let’s discuss each section.

Section 1: Introduction and Information Gathering

As the title states, this was a primer of web application testings with reviewing the HTTP and HTTPS protocols, discuss web infrastructure, and discuss reconnaissance using the following tools: WHOIS and DNS. Finally, I was introduced to a web application vulnerability such as Heartbleed.

I found the material to progress at a nice pace. I had a general knowledge of web application pentesting by tinkering with a home lab, but this introduction filled in some of the blanks that I had.

Section 2: Configuration, Identity, and Authentication Testing

This section heavily relies on mapping a web application target, and reconnaissance, which is arguably the most important part of testing. Some of the tools that was used were: nmap, cURL, and manual techniques using Burp Suite (such as Burp Intruder). In this section, I was introduced to another web application vulnerability – Shellshock, which surprisingly was vulnerable for 25 years!

I REALLY enjoyed this section as I am a hands-on learner, so tinkering and learning new techniques was great. Also, I had a rush whenever I was able to successfully exploit a vulnerability.

Section 3: Injection

In this section I learned about SQL, Blind SQL, Error based SQL injection, command injection, remote file include (RFI), local file include (LFI), session tracking, authentication bypass by using the vulnerable application Mutillidae. Mutillidae is a great application to use when honing your web application skills as I previously stated the application is vulnerable to A LOT of attacks!

Again, I really enjoyed this section, I learned some new skills (LFI, RFI, and command injection), I already knew about SQL injection before taking the course.

Section 4: XXE and XXS

In this section, I learned about the different flavors of Cross-Site Scripting (XSS) – reflected, stored, or DOM, XML External Entity (XXE), XML and JSON, as well as logic attacks to web applications.

Again, enjoyed this section, and I learned A LOT. I knew about Cross-Site Scripting and the different flavors but had NO clue about XXE or XML. It was interesting to see the techniques on how to launch an XSS attack using JSON. As well as how I can use the logic and data returned from an application to deduce certain aspects of the application and craft attacks to exploit said application.

Section 5: CSRF, Logic Flaws and Advanced Tools

In this section, I learned about Cross-Site Request Forgery (CSRF), and tools such as: Metasploit, WPScan, w3af. Also, I learned how to use Python to leverage attacks on web applications as well as how to pivot inside a web application. Also, a cool talking point was on when the tools fail, which is a real scenario.

I enjoyed this section. I am glad that the professor touched on when tools failed. There are some people who heavily rely on tools and get discouraged or miss vulnerabilities when said tools do not work.

Section 6: Capture The Flag

This by far was my favorite part of the course!!! Since my class was online, the capture the flag was online as well. Note, if this class is completed at a SANS location then the capture the flag is an all day event on the 6th day. The team (or person) who has the highest score receives a medal.

Anyway the capture the flag incorporated all of the concepts of the class into a realistic environment.

Things to say about the capture the flag – while it was fun, I made STUPID mistakes. Remember when I said that information mapping was important? I lost 4 points, due to not correctly map the web application. For instance, I completed IGNORED a server that had a TREASURE TROVE of vulnerabilities. <– Yes, I am still kicking myself for that mistake.

The capture the flag was super fun as it started with answering questions and then progressed into hands-on exploits. Also, the questions started to get harder as the game progressed (I am a gamer at heart!) Also there were some funny Aha moments, such as the classic music video. I also fell prey on trying to use to tools, which made answering some of the questions harder than it needed to be. The question could’ve been on a difficulty level of 3 and I made it into a 9 by customizing a fancy exploit that was not needed.

At the end of the 4 months, I finished #11 out of 40 people. Not too shabby. If I didn’t make the mistakes above, I would’ve finished in the top 10.


Final assessment of the course: I LOVED the course!!! Like I kept reiterating I learned a lot of about exploiting web applications, that I will take with me in my journey as a pentester. I liked that each book was built on top of each other. Meaning in book 1 I started off with a primer and learning about web application architecture(s). When I started book 2, I built on top of book 1’s knowledge to then learn about information gathering and reconnaissance, etc. By book 6 (capture the flag) I had a solid foundation on how to actual execute a web application penetration test.

The good thing about this course is that the exploits are not cookie cutter. There were times where I scratched my head and had to do an exploit two to three times to FULLY understand all of the moving parts. Also, another great thing about the course is that the student will receive books for each day (that you can keep) as well as a custom VM that has all of the labs, vulnerable applications, and tools that were used in the course just in case if you want to study or find more vulnerabilities once the class is over. As my instructor, Eric Conrad stated, “One of the differences between a good and great penetration tester is creativity.” I want to be a great pentester, and this class will help me get there.

One last thing… the GWAPT certification. I will not go into detail about test questions (as that is unethical), BUT I will say the test is open book. Make sure to fully utilize the practice test(s) by pretending it’s the REAL test. These practice tests will give you a baseline of how well you know the material. You then can go back and review said concepts and take the second test again to see if there’s improvement. I have taken 4 SANS courses (including this one), with 3 certs, and I can tell you that your index is the MOST important thing for when you take the real test. Your index will literally make or break you, so it’s important to spend a considerable amount of time to make sure your index matches your learning style. The test has a time limit of 3 hours, and you will need to answer 75 questions with a passing score of 71% and above. If you score 90% and above you will be placed in an elite group called the Advisory Board. You can learn more here.

If there are anymore questions, please do not hesitate to reach out to me on twitter at @DevSecOpsGrl007.

Until next time!