PWPP

Summary

This certification is a professional-level certification, meaning you do need to know a thing or two about performing an assessment and finding vulnerabilities. The techniques taught in the Practical Web Penetration Associate (PWPA) are necessary to understand the more complex attacks in this course. Just like in PWPA, Alex’s approach is all about keeping your notes updated along the way. If you followed PWPA, you’ll definitely revisit some things before diving into the deeper material.

Course

The course is split into two parts: one focused on API hacking, and one focused on web hacking. Both parts work hand in hand, but I think it’s beneficial to start with the API section.

Exam

The goal of the course, obviously, is to pass the PWPP exam. Here’s a bit about my experience.

Rules

Before starting the exam, you’re reminded that you can’t share exam details, so I’m not going to spoil anything. Everything you need to know is in the Rules of Engagement (RoE) you receive when you click “Start Exam.” This document explains what you should look for, who to contact if something goes wrong, and what you’re not allowed to do. Read it. Then read it again. It’s important.

Pentesting

After reviewing the RoE, it’s time to visit your target. From that point on, it’s just you, your tools, and the techniques you’ve learned. And that’s all you need. There’s no reason to look for things you weren’t taught or to use techniques outside the course.

What matters is opening the website, getting overwhelmed for a minute or two, and then opening your notes and following your methodology.

My Exam

When I opened my exam, I saw functionality that clearly matched an attack taught in the course. But instead of getting a quick win, I forgot once again to slow down. After a while (a bit too long), I found the exploit, and it turned out to be much easier than what I was trying. Like I already mentioned: there’s no need to look for attacks you didn’t learn. Stick to the coursework.

My “Sanity Check” from PWPA had a major update after doing PWPP, and for the rest of the exam I really found and kept my flow using it.

Because you know more techniques now, it’s important to track what, how, and where you test. Don’t distract yourself with “I’ll test this endpoint on X and Y” but then get sidetracked by something else. Be strict with yourself and focus on one thing at a time.

Like with PWPA, I didn’t work more than seven hours on the first day, and I took my breaks. I felt good by the end of the day, did family stuff, and went to bed.

The second day, I was fully in the zone. A bit too much, actually. I forgot my breaks, forgot to drink, and barely ate. I fell straight into a rabbit hole and couldn’t get out. And that’s something I want to warn you about: falling into a rabbit hole is normal, and you do have to test it, but set a timer for problems. I was convinced there was something there, but I couldn’t find it because it simply wasn’t there.

My advice changed after that experience: hack away, but when you get stuck, set a timer and stick to it. I probably would have lost only an hour or two, but if I had taken my break, I would have realized sooner that it wasn’t worth pursuing.

After realizing I went too deep, I took a long break, forgot about it, and moved on to other problems. I did some extra hours that day but still got enough rest.

By the middle of the third day, I was out of ideas. So, just like in PWPA, I left my environment open and started my report. I had already taken screenshots throughout the exam and saved them in Notion with comments. With my report template prepared, it was mostly copy, paste, done.

I read it, re-read it, saved it to PDF, re-read it once more, and before my lab time was up, the report was ready.

I ended my environment, uploaded the report, hung out with the kids, and went to bed. The next morning, I already saw three notifications with “TCM Sec...” in my inbox. I opened the latest one, and my certification link was available. I passed PWPP!

Final Verdict

This exam was really fun and taught me something valuable. You have to stay open enough to let an exam teach you something, even without an instructor guiding you. The biggest lesson for me was the rabbit hole. I’ll try to recognize it faster next time.

It’s understandable that in an exam you want to find things, but even during an exam, you have to know when to stop. And that might be the most valuable lesson PWPP taught me.