I purchased the WAPT coursework very shortly after becoming OSCP certified. But naturally, sometimes courses fall by the wayside as life gets in the way. The past two months I finally kicked it in high gear and started working harder on the course and am pleased to say that it all worked out and I passed the exam. Below are my thoughts on the eLearnSecurity platform and process.
What I enjoyed:
- Once you purchase the course, you instantly get access to the contents. That is the videos, labs, and slides. I like that there is no waiting around and you can hop right into the materials.
- You can track your progress really well by clicking a checkbox whenever you’ve completed a module. When doing this, it will show your progress a the top of the page.
- The resources tab provided is helpful. When going through the study materials, there may be content that is referenced in the slides which contains supplemental materials which may aid in your study efforts. The resources tab makes it nice and easy to find those and check them out.
- The slides are very well explained and have a nice logical flow to them.
- Offense AND Defense. It is great to not only learn why various vulnerabilities may exist and how to exploit them, but also the proper remediation steps. This is huge for those that want to become Penetration Testers because you should be able to relay to a customer a brief remediation summary on how to fix a vulnerability you found.
- The videos have great demonstrations on how to use various tools, exploit different vulnerabilities, and provide an excellent commentary throughout which helps solidify concepts.
- I really enjoyed the lab portion. I also found some things with it I would change (but that will be below). What I liked about the labs is that there is a clear set of instructions on what your objective is. On top of that, they made me think more creatively and how you can chain various exploits together.
- The forums were a pretty good resource for me during my studies. I found that there were similar issues other folks encountered, and by reading some posts I was able to answer some of my questions. I also liked that they were mostly spoiler free, so while there may be some tips and nudges, you’re not given the answer outright.
What I didn’t enjoy so much:
Going to be a small list here…
- When you want to do a lab, you need to generate a new ovpn key for every new module you work on. In addition, you need to adjust /etc/resolv.conf so that you can work on the labs. I didn’t enjoy this as it was semi annoying to do this. I would prefer one ovpn file to connect to and all the labs be available to me. I get it — it’s probably easier for them this way, and each time you spin up a lab it’s dedicated… which is nice.
- The slides can be deceptively long. This is just a personal nitpick, but I often would think “oh my gosh there’s more”… When clicking through the slides, there would be sub-sub-sub-sections on various topics. Although it’s necessary and good to dive very deep on these concepts, sometimes I would have maybe 10-20 minutes to quickly go over some more material and it would turn into something much longer which I didn’t have time for at the moment. Would have been nicer to see exactly how many slides there were for each section.
If you’ve come here for spoilers, you’ll be disappointed.
What I liked:
The exam was pretty straight forward. I felt there was a small amount of ambiguity for the scope. Many people will say the scope is straight forward as well, but for me I had one small hangup that I questioned, but it was so minor that it did not affect me in anyway during the exam. So although there was one small thing which didn’t affect me, I considered all of this a plus.
I LOVE the fact that I can start the exam whenever I want to, I will have instant access, AND I have 7 days to work on it. Let’s be honest, when will you EVER have to conduct a 24 hour pentest with 24 hours to write the report? Never. eLearnSecurity did a smart thing here. They structured the exam to emulate an actual Web Application Penetration Test which I thoroughly enjoyed. On top of that, it made writing the report even more fun for me because it felt semi-real.
What I didn’t enjoy so much:
The wait time. Plain and simple. As I’m writing this, the world is currently in a weird place because of COVID-19. I don’t know if that is the reason the results wait time is so long for folks right now when they submit their exam, but boy was the wait killing me. I had a very good feeling I passed, but there’s always that thought in the back of your head where you think about ways you could have done something differently. I heard stories of people who were waiting 20+ days for their exam results (different exam).
In all fairness, they do clearly state that it could take 30 days from when you submit your exam report to get the results. They are very transparent with that, so I can’t go out and say that they are being unfair with how long it takes to receive results. I think eLearnSecurity could really benefit from bringing on another employee to go over exam reports and shorten that time up a lot.
One other point of criticism is that the target domain during the exam is currently purchased as an actual domain, so if you don’t have your /etc/resolv.conf file adjusted properly, you may be scanning an actual domain….not good! That said, it should be on the student doing the exam to make sure they have all their settings correct.
The provided course materials and labs are more than sufficient to pass the exam on your first attempt. As long as the student properly studies and is honest with themselves on what they need to work on more and focus on, they will be successful.
I would absolutely recommend this course to anyone looking to increase their Web Application Penetration Testing skills. I feel very confident now that I can conduct a successful Web App Pentest against real world clients. In addition, I feel much more comfortable using tools such as Burp Suite whereas before it felt intimidating.
This course has made me a more well-rounded professional and makes me excited to continue to dive deeper into web application pentesting.