Skip to content

dev-angelist/eWPTv2-Notes

Repository files navigation

description
INE/eLearnSecurity Web Application Penetration Tester (eWPTv2) Notes

📝 eWPTv2

INE Security’s eWPT is for professional-level Penetration testers that validates that the individual has the knowledge, skills, and abilities required to fulfill a role as a web application penetration tester.

This certification exam covers Web Application Penetration Testing Processes and Methodologies, Web Application Analysis and Inspection, and much more. See the Exam Objectives below for a full description.

This exam is designed to be a milestone certification for someone with foundational experience in web application penetration testing, simulating the skills utilized during a real-world engagement. This exam truly shows that the candidate has what it takes to be part of a high-performing penetration testing team.

Course duration & Topics ⏳📚

~ 106 hours (10 courses , 175 videos, 126 quizzes, 58 labs)

🛣️ RoadMap / Exam Preparation 🧑🏻‍🏫

E-Links 🔗📔

  • Where to find the Web Application Penetration Tester course? - INE Learning Paths
  • Where to find the eWPTv2 certification exam? - eWPT

Training and Labs

{% embed url="https://owasp.org/www-project-mutillidae-ii/" %}

eWPT Exam 📄🖊️

  • Exam Type: Multiple-choice quiz (throught lab environment)

  • Time limit: 10 hours

  • Expiration date: 3 years

  • Objectives:

    Web Application Penetration Testing Processes and Methodologies (10%)

    • Accurately assess a web application based on methodological, industry-standard best practices
    • Identify vulnerabilities in web applications in accordance with the OWASP Web Security Testing Guide

    Information Gathering & Reconnaissance (10%)

    • Extract information from websites using passive reconnaissance & OSINT techniques
    • Extract information about a target organization’s domains, subdomains, and IP addresses
    • Examine Web Server Metafiles for information exposure

    Web Application Analysis & Inspection (10%)

    • Identify the type and version of a web server technology running on a given domain
    • Identify the specific technologies or frameworks being used in a web application
    • Analyze the structure of web applications to identify potential attack vectors
    • Locate hidden files and directories not accessible through normal browsing
    • Identify and exploit vulnerabilities caused by the improper implementation of HTTP methods

    Web Application Vulnerability Assessment (15%)

    • Identify and exploit common misconfigurations in web servers
    • Test web applications for default credentials and weak passwords
    • Bypass weak/broken authentication mechanisms
    • Identify information disclosure vulnerabilities

    Web Application Security Testing (25%)

    • Identify and exploit directory traversal vulnerabilities for information disclosure
    • Identify and exploit file upload vulnerabilities for remote code execution
    • Identify and exploit Local File Inclusion(LFI) and Remote File Inclusion(RFI) vulnerabilities
    • Identify and exploit Session Management vulnerabilities
    • Exploit vulnerable and outdated web application components
    • Perform bruteforce attacks against login forms
    • Identify and exploit command injection vulnerabilities for remote code execution

    Manual Exploitation of Common Web Application Vulnerabilities (20%)

    • Identify and exploit Reflected XSS vulnerabilities
    • Identify and exploit Stored XSS vulnerabilities
    • Identify and exploit SQL Injection vulnerabilities
    • Identify and exploit vulnerabilities in content management systems
    • Extract information and credentials from backend databases

    Web Service Security Testing (10%)

    • Identify and enumerate information from web services
    • Exploit vulnerable web services

Resources 📑📘

📖 Read the Lab Guidelines 📖