[PWPT Acquired]

What’s the PWPT?

“The Practical Web Penetration Tester™ (PWPT) certification is an intermediate-level penetration testing exam experience. This exam will assess a student’s ability to perform a web application penetration test by requiring them to exploit more advanced vulnerabilities including NoSQL, race conditions, mass assignment, SSRF, template injection, and more.”

Written by Appsecexplained, Alex Olsen, the PWPT is a multi-day exam with three days of testing and an additional two for reporting. It’s an intermediate-difficulty, Web Penetration exam that focuses on the practical skills involved with testing a novel webapp against modern best-security practices.

Beta-Tester Eru:

I’m quite thankful that I was given the opportunity to be a beta-tester for this exam. It allowed me to be one of the first sets of hands on the environment and gave me the opportunity to contribute back to a company that has meant so much to my personal and professional growth over these last six months. And with that said, I’m extremely proud to announce that I was successful in my exam attempt and am one of the very first to hold the title of PWPT certified!

Training Montage:

The Courses:

In typical TCM fashion, everything you need to pass the exam is covered in the relevant courses. With this being my third TCM certification, I can easily say that this is the tried-and-true model of their exams and the PWPT is no different. Building off the Practical Web Hacking (PWH) and Practical API Hacking (PAH) courses, this exam will have you leverage more-advanced exploits against a more-realistic target.

Practical Web Hacking:

With a heavy emphasis on lab-driven learning, the PWH course introduces you to several new exploitation techniques and the vulnerabilities that allow for them. Using PortSwigger Security Labs to provide students with a highly detailed walkthrough of the various exploits, Alex Olsen reinforces the value of learning not just how an exploit works in a specific situation, but in understanding the symptoms an application presents when it's vulnerable.

Practical API Hacking:

Taking the time to expand further upon topics introduced in previous courses, the PAH course delves into what an API is and why the distinction matters. It serves to remind us that developers are human and do have the capacity to make mistakes – mistakes that may lead to vulnerabilities for us as security researchers to find! With two large capstones to serve as our playgrounds for testing, this course helps us build out our intuition on understanding not just what an API is, but the implementation patterns it presents and how we can leverage them to find new vulnerabilities.

The Livestreams:

Now, let me preface the following section by repeating my initial statement – the relevant courses contain all the material you need to pass the exam. While not directly meant to serve as training for this exam, there are many amazing resources available to those trying to learn. I personally find a lot of value in attending livestreams, especially ones with engaging streamers who take the time to not just explain their methodology, but actively consider the input from chat and give engaging feedback. To this end, I would highly recommend checking out the following:

• TCM Security’s livestreams, Every Wednesday at 11:00a CST

• Tib3rius’s livestreams, Every Monday and Wednesday

If you’ve attended any of these livestreams over the past several months, you may have seen a certain recognizable fox asking probing questions and causing just a bit of chaos! (Say hi if you see me!)

Independent Research:

I have to also say that I do my best to conduct some independent research as well. From throwing my technical questions into HackerGPT to listening to the Critical Thinking Bug Bounty podcast every Thursday, my want to learn and improve is not limited to just passing an exam. This is a field I truly find rewarding and is one that I’m proud to be a member of. Like coming home after a long day, learning alongside my peers motivates me to push myself and not be satisfied with where I was yesterday.

The Experience:

Now, for what I’m sure you’re all actually here to read, the exam itself. This section is honestly the one that I’ve struggled the most to put into words. For obvious reasons, I cannot discuss the environment itself. If that’s what you’re here to find out, I would like to remind you that we are ETHICAL hackers. Before any amount of security research, this is a field where having a strong ethical compass matters.

Test Environment:

In typical TCM fashion, the PWPT is of a practical nature. No gamified CTF, no multiple choice. The exam features a novel web application built by Alex and the TCM dev team, and passing requires the tester to fully demonstrate their ability to put theory into practice and apply what they’ve learned.

Even in it’s beta stage, the application was a gem to test on. While I did manage to find a few unintentional bugs, these were acted on when reported and have since been corrected for the full release. The impression this environment gave me was of a small to mid-sized company with awareness of secure development practices. While I wouldn’t compare it’s size or complexity to Amazon or Google, it felt like just the right scope for an intermediate exam.

Time Management:

This was the first TCM exam where I struggled on time. I work a full 9-5 in an unrelated field and was unfortunately not able to take time off for this exam. As a result, my testing period was limited to what I could achieve after work, and my report period lost an entire day. If you're planning on taking this exam, I would highly recommend you set aside a solid block of time for this exam.

If you’re in a similar situation to myself, I would recommend taking a Friday off, and starting on a Thursday night. This will let you maximize your time in the environment, and let you focus on reporting as you go – ensuring you get all of your screenshots along the way.

Strategies:

Regarding time management in the exam itself, my methodology is much inspired by a quote of Jason Haddix, “We don’t do recon to find hacks, we do recon to find things to hack”. That is to say, the recon we perform will be the biggest limiter of our attack surface. Prioritize discovering assets on that first night. Take the time to find all of the endpoints, use the application in the intended manner, discover as much about it’s tech stack as you can, and set yourself up for success.

Once you feel confident in your recon, explore the areas of the app that interested you. What weird functionality did you notice, what curiosities caught your eye. The intuition you’ve developed in practice is one of the best tools in your arsenal. It’s what will find the bugs that your scanner won’t.

Beyond the weird functions, take the time to follow your methodology. Do you have a set of tests you run on input sources? What about a process for finding sinks, places where input is consumed? By building out a reliable methodology (and sticking to it), you save yourself from forgetting to test something in the heat of the moment.

Thoughts & Recs:

My Thoughts:

Well, if you’re still reading at this point, thank you! By far my favorite aspect of the TCM exams, the PWPT was technically challenging. It doesn’t rely on rout memorization or regurgitating textbook techniques. Instead, it challenges the tester to be innovative, to take what they’ve learned and find real-world mistakes in an application. You have to be creative and flexible, not letting yourself be locked into what you’ve seen before, and instead remain open to the fact that this environment is wholly unique and contains vulnerabilities unique to it.

Beyond the technical challenge, this exam has a ton of personal significance to me. This was my first attempt at an intermediate tier cert and I was able to walk away with a win. My journey at TCM actually started with a large focus on earning their PNPT as soon as I could, however, over these last several months I’ve noticed myself more and more drawn to web testing and the world of bug bounty. For me, this exam proves that the last several months of hard work are paying off -- even if I don’t notice it every day -- and serves as a motivator to keep pushing as I enter the second half of my first year in security research.

My Recommendations:

If curiosity is one of the reasons that InfoSec has your heart, I would highly recommend looking into this exam. While some may argue that the lack of a clearly defined target makes web testing less approachable, I see it as a blank sheet waiting to be drawn on. It’s an environment that rewards curiosity and creativity, and knowing that every webapp I encounter is likely to be fully unique from ones prior makes me excited to uncover its secrets! I feel confident that AppSec is a specialization that will keep up with my endless desire to learn, and I'm sure you will as well.

Special Thanks

And with that, I want to say an absolutely massive thank you to the two individuals who’ve helped me discover my passion for Web Apps:

Alex, from the livestreams to the CTF competitions, you’ve taken the time to answer my questions (technical or not) and have helped fill in the gaps in my knowledge to give me an incredibly solid foundation. With chaos and cats in equal measure, your passion for security is what made me follow TCM on YouTube in the first place.

Tibs, a week just isn’t the same without Cyber Mentoring Monday and Web App Wednesday, encouraging both the chaos in the Twitch chat and even letting me full on suggest themes for the day’s stream, you’ve helped me round out some of areas I truly struggled on and helped me better build out my methodology to be able to approach any issue.

To both of you, thank you so much for being Cyber Mentors I can count on, and I look forward to continuing my journey until the day comes where I feel confident addressing you as a peer.

-- Eru