This blog post is a review/summary of my experience with the Burp Suite Certified Practitioner exam. All of the information on this page are publicly available on the PortSwigger website. This review/summary does not contain any spoilers.
PortSwigger has this to say about this training path:
By becoming a Burp Suite Certified Practitioner, you will be able to demonstrate your web security testing knowledge and Burp Suite skills to the world. This certification will prove to peers, colleagues, and employers, that you have the ability to:
- Detect and prove the full business impact of a wide range of common web vulnerabilities - such as XSS, SQLi, OWASP Top 10 and HTTP Request Smuggling.
- Adapt your attack methods to bypass broken defenses, using your knowledge of fundamental web technologies like HTTP, HTML, and encodings.
- Quickly identify weak points within an attack surface, and perform out-of-band attacks to attack them, using manual tools to aid exploitation.
A little background
I spent about half of 2020 working on various certifications, like OSCP and OSWE and several from eLearnSecurity.
I’ve been a hobby coder since I was 10, and a professional developer for a long time. I’ve recently transitioned from development to penetration testing.
A great offer
PortSwigger had a nice offer for Black Friday, $9 for the exam attempt - and a full refund if you passed before December 15th. Given that I work a lot with Burp Suite (and already had the required Burp Suite Professional license), it made perfect sense to just give this a go!
I purchased the exam, and started working on the practice exam. It took a couple tries, but I eventually got it. Before I felt ready for the exam, I decided to do as much as I could of the Web Security Academy Labs, focusing mostly on XSS (since the exam preparation specifically mentions XSS).
The first attempt
PortSwigger use Examity, a third party proctoring service, to verify your identity. The Examity platform does not work on Linux, so you need Windows or Mac for this stage. After verifying your identity, you disconnect from the proctoring session. And as far as I know, there’s nothing stopping you from using a VM with Linux to do the exam itself.
The exam itself was similar to the practice exam, except that you have to complete two applications. You get a total of four hours to do this.
PortSwigger expects you to do the following (in order) on both applications:
- Login as any user
- Elevate to admin
- Exfiltrate contents of
/home/carlos/secret
When I got the entire first application and the first step on the second application done, with more than half the time left, it certainly felt like I should be able to finish this.
I spent way to much time on something that should have worked, and would have worked in the Web Security Academy. But then I tried something completely different, and that worked.
When I only had one step left, I got stuck. Completely stuck. Even with more than one hour left to figure it out, it ultimately ended with a failed attempt.
The second and third attempts
The price increased to $99, but the offer for a full refund if you passed before December 15th was still valid.
With that in mind, I had to give it another try!
The exam applications are randomly selected when you start, so you won’t get the same applications on subsequent attempts.
I got completely stuck almost right away, once again spending way too much time on the wrong idea. And this is what ultimately led to the second failure. I ran out of time.
But since I knew I would’t be able to sleep or do anything useful until I had given it another try, I purchased and started the third attempt immediately after the second attempt ended. The refund offer also helped when making this decision.
This time I tried telling myself not to get stuck in one path, which is what made me fail the two first attempts. And that helped - this time I tried something else when I got stuck. And that did the trick!
With more than one hour to spare, I finally completed both applications!
Since I did two attempts in a row, after work, it was almost midnight by the time I finished. I didn’t want to stay awake only to wait for the exam to time out (it didn’t finish automatically), so I decided to get some sleep instead.
I got this in an email from PortSwigger shortly after the exam time ended:
You successfully solved the technical components of the Burp Suite Certified Practitioner exam. We just need to verify your results with Examity, our third-party proctoring service.
This process can take between 24-48 hours. We’ll be in touch once we have verified your results.
I never got any notification, but my certificate was available a couple days later from my PortSwigger Account page.
Now that it’s done, I can say that I’ve learned something from the two failed attempts. So I’m calling this a success!
My thoughts
This is a relatively new exam. I had never heard about it before, and I couldn’t find any reviews online. But I am glad I gave it a try. I had lots of fun doing it, and I learned a lot. The last exam I did was OSWE in 2020, so I had almost forgot how much fun this was.
I haven’t done a huge amount of actual penetration tests yet, but from the ones I have done, this certainly feel like a relevant certification. And I have improved my Burp skills while working on this certification.
This exam only tests your ability to effectively use Burp Suite Professional, so there’s no requirement to do a report or anything other than gaining access and submit the “flag”.
What I really like about this certification:
- Free training!
- Free practice exam and lots of useful information available up-front
- Dedicated labs - you don’t share the lab environment with any other student
- Exam can be started whenever you are ready - no need to schedule in advance, just click the button and start hacking!
- No restrictions on tools - use whatever tools you are comfortable with, free and commercial, although the point here is to demonstrate that you know how to use Burp Suite
The price is relatively cheap compared to other certifications, but you will need a Burp Suite Professional license, which is not cheap. I’m lucky and have an employer who pay the fee for me, but for $9 I wouldn’t hesitate a second to pay for this myself. Maybe PortSwigger will run the same promotion next year?
The exam is only valid for 5 years, which means we should probably expect that PortSwigger will regularly update the exam.
My advice
- Read the entire exam information page
- The free Web Security Academy Labs should be enough to prepare you for the exam
- Do the practice exam
- Time is limited - make sure you have your environment ready when you start
- Look at what third party tools you need in the Web Security Academy, and have them installed - especially those that are mentioned in the exam information
- Don’t create your own rabbit holes
- If you have something you’re certain should work, and it doesn’t, try something else
- Take notes, but don’t spend much time on this - no report is required
- If you fail, spend more time in the Web Security Academy before trying again
My timeline
- November 29th, 2021: First exam attempt purchased
- December 8th, 2021: First exam attempt
- December 15th, 2021: Second exam attempt
- December 15th, 2021: Third exam attempt
- December 16th, 2021: Exam status updated to Passed