Here is my journey into taking the GWAPT (GIAC Web Application Penetration Tester) exam without attending the course and with a score of 86%.
At that time when I reserved the exam, I had a good knowledge about web security & vulnerabilities, gone through some CTFs, also solved many vulnerable machines.
About the exam topics, I think the topics can be considered as basics of web security, don’t go for deep exploitation or advanced techniques, but only focuses on how much you understand the concepts of the topics, and if you really had hands on practice on these topics, not just reading slides or watching videos.
Questions are sometimes very tricky and may have two possible answers, but always remember that all the answers lay down in the books, so you really need to focus.
First of all, my advice if you attended the course, you should start studying while the course is running and while you are keeping all the information just fresh, as the big problem of this exam or any other exam, that the questions are really examining your deep understanding of every detail in the course.
If you didn’t attend the course and wish to have the exam, I suggest the following in order to pass this exam:
First, have a look at all the topics mentioned in the certification syllabus, and measure your level of knowledge at each topic.
You can find enough information here:
The First Round
Start reading in each topic, whether from the notes or through searching online, or from other references, or with watching tutorials, in this phase you really want to hunt each piece of information you find and write it down in your notes, these notes will be your right arm while solving the exam.
The exam is an open book exam, which needs only understanding not memorization, however memorization will speed up your progress.
You need to make a very good index for all the information you got, mapping this piece of information to a resource, whether it is a book, notes, or even a tutorial you watched, so you won’t waste your valuable time searching all your books and notes.
Reading the following books really helped me to have better understanding of each piece of information:
- The web application hackers handbook
- Mastering Modern Web Penetration Testing
Practice, practice, practice!
Make sure you are having enough hands on practice via solving the sec 542 virtual machine if you have it, or by solving some vulnerable machines on vulnhub, (DVWA), (Web Goat) machines, or by watching the video tutorials of this guy () at his website were very good, while the CTF was really helpful:
After your first round with all of these resources, you should take your first practice exam to measure your understanding level, but make sure prepare your index, notes, and books; so you can have the complete experience of the exam, also make sure not speed up while solving any questions as I mentioned earlier that the questions may appear very easy but they also have a lot of tricks.
My attempt to solve the 1st exam didn’t bring me very happy news as the score was only 71 % which will make you only pass.
Good news is that SANS will give you the weakness areas of your answers, so you can study it harder next time, so I studied these parts again, also reviewed the whole topics one more time then gone through the 2nd exam, and I scored about 90% this time (but please note that many questions from the first practice exam will be the same in the second exam) so the score here is very tricky.
After the 2nd practice exam I decided to reserve the exam, but please in this step always go to the test center before choosing it to choose as the environment of the test center is really a big factor into the whole examination experience, the one I chose was very bad and the support there was awful, so it can really affects your focus while you are having the exam.
While solving the exam I noticed that none of the 2 practice exams questions got into the final exam, although the questions level was just the same.
At the end, the GWAPT sec 542 experience was very informative to me, regarding to also other resources I studied during the preparation period. You may suffer a lot in order to finish all of these topics, but it really worth it.