| description |
|---|
INE/eLearnSecurity Web Application Penetration Tester (eWPTv2) Notes |
 (1).png)
INE Security’s eWPT is for professional-level Penetration testers that validates that the individual has the knowledge, skills, and abilities required to fulfill a role as a web application penetration tester.
This certification exam covers Web Application Penetration Testing Processes and Methodologies, Web Application Analysis and Inspection, and much more. See the Exam Objectives below for a full description.
This exam is designed to be a milestone certification for someone with foundational experience in web application penetration testing, simulating the skills utilized during a real-world engagement. This exam truly shows that the candidate has what it takes to be part of a high-performing penetration testing team.
~ 106 hours (10 courses , 175 videos, 126 quizzes, 58 labs)
- Introduction to Web App Security Testing (WAPT) ~ 11 hours
- Web Fingerprinting and Enumeration (Information Gathering) ~ 10 hours
- Web Proxies ~ 12 hours
- Cross-Site Scripting (XSS) ~ 9 hours
- SQL Injection (SQLi) ~ 17 hours
- Common Attacks ~ 12 hours
- File & Resource Attacks ~ 11 hours
- Web Service Security Testing~ 5 hours
- CMS Pentesting ~ 9 hours
- Encoding, Filtering & Evasion ~ 8 hours
🛣️ RoadMap / Exam Preparation 🧑🏻🏫
- Where to find the Web Application Penetration Tester course? - INE Learning Paths
- Where to find the eWPTv2 certification exam? - eWPT
{% embed url="https://owasp.org/www-project-mutillidae-ii/" %}
eWPT Exam 📄🖊️
-
Exam Type: Multiple-choice quiz (throught lab environment)
-
Time limit: 10 hours
-
Expiration date: 3 years
-
Objectives:
Web Application Penetration Testing Processes and Methodologies (10%)
- Accurately assess a web application based on methodological, industry-standard best practices
- Identify vulnerabilities in web applications in accordance with the OWASP Web Security Testing Guide
Information Gathering & Reconnaissance (10%)
- Extract information from websites using passive reconnaissance & OSINT techniques
- Extract information about a target organization’s domains, subdomains, and IP addresses
- Examine Web Server Metafiles for information exposure
Web Application Analysis & Inspection (10%)
- Identify the type and version of a web server technology running on a given domain
- Identify the specific technologies or frameworks being used in a web application
- Analyze the structure of web applications to identify potential attack vectors
- Locate hidden files and directories not accessible through normal browsing
- Identify and exploit vulnerabilities caused by the improper implementation of HTTP methods
Web Application Vulnerability Assessment (15%)
- Identify and exploit common misconfigurations in web servers
- Test web applications for default credentials and weak passwords
- Bypass weak/broken authentication mechanisms
- Identify information disclosure vulnerabilities
Web Application Security Testing (25%)
- Identify and exploit directory traversal vulnerabilities for information disclosure
- Identify and exploit file upload vulnerabilities for remote code execution
- Identify and exploit Local File Inclusion(LFI) and Remote File Inclusion(RFI) vulnerabilities
- Identify and exploit Session Management vulnerabilities
- Exploit vulnerable and outdated web application components
- Perform bruteforce attacks against login forms
- Identify and exploit command injection vulnerabilities for remote code execution
Manual Exploitation of Common Web Application Vulnerabilities (20%)
- Identify and exploit Reflected XSS vulnerabilities
- Identify and exploit Stored XSS vulnerabilities
- Identify and exploit SQL Injection vulnerabilities
- Identify and exploit vulnerabilities in content management systems
- Extract information and credentials from backend databases
Web Service Security Testing (10%)
- Identify and enumerate information from web services
- Exploit vulnerable web services