PWPA Review

PWPA Review

Overview:

https://certifications.tcm-sec.com/pwpa/

Similar to the Practical Network Penetration Tester (PNPT), TCM provides a comprehensive overview of the certification process for the Practical Web Pentest Associate (PWPA):

The Practical Web Pentest Associate™ (PWPA) certification is a beginner-level web application penetration testing exam experience. The exam will assess a student’s ability to perform a web application penetration test at an associate level. Students will have two (2) full days to complete the assessment and an additional two (2) days to write a professional report.

In order to receive the certification, a student must:
- Exploit a web application using any preferred tools or techniques.
- Provide a detailed, professionally written report.

Why did I take this exam?

Some keen observers might wonder, "Why take this Junior exam when you already have the OSCP and CRTO?"

The answer is quite simple: I know that web security is one of my weakest skill sets, and many of the certifications I have obtained cover only basic web exploitation or none at all. Some individuals might assume that holding a specific certification implies a higher level of skill in all areas, but the reality may differ.

A key takeaway I hope everyone grasps is the importance of truly knowing yourself. It's okay to pursue a junior-level certification to ensure you have the necessary foundation.

The course material:

Practical Bug Bounty
This comprehensive course dives into identifying and responsibly exploiting application vulnerabilities, laying a solid foundation in bug bounty hunting.

The PWPA exam recommends completing the 'Practical Bug Bounty' course, which is offered by TCM in cooperation with Intigriti. The material is very beginner-friendly and requires only basic knowledge of web applications.

In my experience, the course was fantastic. Heath, Alex, and Jonah do a great job covering all the material needed to get anyone started with bug bounty hunting and associate-level web application pentesting. Unlike the PNPT course, this one features self-hosted labs that you can set up using Docker images provided by TCM. This unique approach allows you to perform testing without the need to troubleshoot an externally hosted application.

One point I want to highlight is that I completed this material in about a week. Much of it served as a refresher for the knowledge I already had, with only minor modifications and additions being made to my notes. I was able to solve all the labs without needing direct hints and even tackled them in more complex ways than necessary.

The Exam:

Out of respect to TCM team I will not be providing any direct exam details that are not publicly known.

This section will be brief, as I was able to meet the criteria to pass the exam in about 5 hours. The main challenge I encountered was shifting my approach to view the exam from a web testing perspective, rather than from an Active Directory or network perspective.

The exam, in its entirety, is very fair and specifically tests your methodology. Individuals attempting the exam will need to demonstrate a solid understanding of the material that was taught—simply copying and pasting random attacks will not be effective.

Similar to the PNPT, a report is required to pass the exam. Don’t put this off or think you can wing-it review the section within the course and pay attention to what is included in the template. With my experience in report creation from the OSCP and PNPT, this task was fairly straightforward. I was able to complete the report in a few hours, submit it, and receive notification of passing the next morning.

Closing Thoughts:

  • The course is excellent for gaining a solid grasp of web application testing.
  • The exam is quite enjoyable and should be approached with an open mind.
  • As always, the staff and community are excellent.