PWPP Review
Overview:
https://certifications.tcm-sec.com/pwpp/
As with to the Practical Web Pentest Associate (PWPA) & the Practical Network Penetration Tester (PNPT), TCM had provided a comprehensive overview of the certification process for the Practical Web Pentest Professional (PWPP):
The Practical Web Pentest Professional™ (PWPP) certification is an intermediate-level penetration testing exam experience. This exam will assess a student’s ability to perform a web application penetration test by requiring them to exploit more advanced vulnerabilities including NoSQL, race conditions, mass assignment, SSRF, template injection, and more.
Students will have three (3) full days to complete the assessment and an additional two (2) days to write a professional report.
The PWPP is a challenging exam that simulates a real-world web application penetration testing experience. In order to receive the certification, a student must:
- Exploit a web application using any preferred tools or techniques.
- Provide a detailed, professionally written report.
What lead me to take this?
As stated in my PWPA review, web testing is not my strong suit. Following the success and knowledge gained from the PWPA I wanted to take my skills to the next level and enhance my abilities holistically.
While some may view the PWPA as sufficient to get me up to speed, I want to ensure that a solid foundation is truly in place moving forward.
The course material:
The PWPP recommended completing the 'Practical API Hacking' and 'Practical Web Hacking' courses prior to attempting the exam to ensure the best chance of success. Both courses are offered by TCM and authored by Alex Olsen, who has been a key lead instructor of the PWPA material.
The material overall assumes you have a baseline understanding and offers less guidance than the PWPA materials. Alex is the sole instructor, and I can say for certain that he really knocked this out of the park. Both courses complement each other in developing a methodology, and Alex does an amazing job walking you through the attacks in a way that allows you to not only grasp what he is doing but also understand why he is doing it.
One item I wish to mention before moving on is that I completed the API course before the Web hacking course. While this might have been out of order, I found that the API course significantly helped with the Web course.
The Exam:
Out of respect to TCM team I will not be providing any direct exam details that are not publicly known.
One important note is that when I sat for the exam, I was only able to test for 26 out of 72 hours. Luckily, I had completed the exam objectives, but I cannot stress enough the importance of making time, as acquiring the required material swiftly may not always be this quick.
To keep this brief, the exam is very fair and challenges your methodology as well as your comprehensive problem-solving skills. It is not cut-and-dry or a 'spray and pray' situation; you need to approach the exam like a real application in order to have a chance at success.
Following the TCM format, a report is also required to pass. I was able to complete the report in about 2 hours after my testing window. If you have never written such reports before, make sure to allocate adequate time to ensure all items are covered. I was somewhat rushed and was lucky not to miss any important details. A report template is provided to assist with this section of the exam and to help you understand what is expected. Upon submitting the report, I received notification of passing the next morning.
Closing Thoughts:
- The courses were amazing, as I expected from TCM.
- The exam is very stable, unique, and challenging in a positive manner.
- As always, the staff and community are excellent. (I know this is repetitive, but it's true!)