TLDR; If you are familiar with web penetration testing methodology and web attacks like SQL injection, creative XXS, web service exploitation etc. then you are probably good to go for the exam

Course

This course covers basic web penetration and web enumeration with a focus on basic web exploitation like SQL injections and XSS, along with general information on web penetration testing methodology. Please refer to the link in the references for details on the different modules of the course. If you have done the course for the eCPPT then you will likely have a Deja Vu moment when looking through the slides of this course, many of the modules are exactly the same across the two courses so it might be worth skipping these if you already have done the eCPPT course. In general, the material and the labs are starting to show their age and compared with modern alternatives like PortSwiggers web academy they tend to come up lacking. I would personally recommend that you go for the material that PortSwigger has made available as they are of a higher quality and more up-to-date. If you do decide to go with the PortSwigger web academy just ensure that you go through the areas outlined in the syllabus below. The labs are the same story, better alternatives can be found on HTB or web academy, so consider these options before committing to INE.

The Exam

The exam is modelled after a real-world web application penetration test, here you are tasked with gaining administrative access to a website. You will have plenty of time for both the reporting and the penetration test. As with most ELS courses, there is nothing in the examination that has not already been covered in the course material, the key difference here will be the creativity in how you use the techniques. Looking back at it the exam environment is fairly small, so don’t worry too much about having enough time to make it through! If you need additional practice apart from the labs from ELS and PortSwigger then consider doing some labs on HTB filtering by the different subjects covered in the course. If you have any doubts considering methodology please check out HackTricks they have an awesome methodology section on the web (and everything else)

Resources

  • https://dsxte2q2nyjxs.cloudfront.net/Syllabus_WAPTv3.pdf
  • https://portswigger.net/web-security
  • https://book.hacktricks.xyz/pentesting-web/web-vulnerabilities-methodology