Hello everyone! It’s been a while since I posted anything here but I have an update.
After becoming an OSCP in 2022, I decided to dive deeper into web app penetration testing. And a fairly new certification came to my mind: the Burp Suite Certified Practitioner (BSCP) exam.
Long story short, I was able to passed the exam so I’m going to share some info with you all.
What is the exam about?
“The Burp Suite Certified Practitioner is an official certification for web security professionals, from the makers of Burp Suite. Achieving BSCP status requires a deep knowledge of web security vulnerabilities, the correct mindset to exploit them, and of course, the Burp Suite skills needed to carry this out.” source: https://portswigger.net/web-security/certification
As I was already somewhat familiar with burp obviously because of OSCP, but somehow still felt weak on manual web pen-testing, it felt like this would be an amazing certification to study for to sharpen my skills.
It costs $99 for an exam attempt. I got one exam attempt given for free to me since Portswigger was giving out free attempts if you complete some challenges during the last holiday season.
You will also need to subscribe to the Burp Suite Professional ($449/1-year subscription) which is required to take the test. Luckily, my company generously covered the cost for me.
Be prepared to take it several times as it’s not an easy exam due to the time constraint (4 hours) it has.
How to prepare?
PortSwigger has the preparation steps laid out for you so basically do all the things they say and complete all the labs for the apprentice and practitioner levels. Additionally, you really need to be able to use burp professional to scan, identify vulnerabilities it finds, and manually test them.
Definitely take notes with screenshots and constantly review them as there are about 200 labs available at the moment. New labs are added every so often but they won’t add those new topics until a month passes so keep that in mind.
How much time did you spend studying?
I started spending a significant amount of studying time (4 hours+) after Christmas and spent about a month just going through labs and reviewing them as I went.
However, I was already familiar with SQLi, XSS, command injection, and other topics from OSCP (I even did PortSwigger’s labs for some of them) so I didn’t need to study for those this time.
What the exam involves:
This page explains pretty much everything. But I’ll point out a few points that aren’t explicitly explained there.
For the system requirements, it says that the proctoring service they use “does not support Linux.” but that just applies to your host machine.
You are allowed to use a virtual machine such as kali Linux (which most of you probably need for tools such as sqlmap) running on your host machine (has to be Mac, Windows, or Linux)
The Proctoring Service:
Another thing that’s worth mentioning is that the proctoring system they use is called Examity and it has some flaws. It might just be a temporary bug but I couldn’t start the exam for about 15 minutes for an unknown reason. While the help desk was trying to find out the cause, the issue was resolved on its own.
Other than that, the process is pretty simple.
You just need to sign up on the examity site (you’ll receive an email from Portswigger once you purchase an exam attempt) and you can take it anytime you want (you have a year until the attempt expires).
During the exam, you can listen to music like an OSCP exam so if music calms you during testing like me, have a playlist ready before the exam starts!
Your exam environment
Other than having your cheatsheet ready for testing (no, I’m not sharing my notes, sorry!), you need to create a project file just for the exam within your Burp Suite Professional.
I posted a video about this on Youtube, if you want to know more details about this
My exam experience:
Enough with all the info! Let’s talk about my experience with the exam.
The exam was tricky. It had many rabbit holes like the OSCP did. It could be a lot more tricky than the PortSwigger labs are. You may need to try various encoding techniques to see if a simple POC works, then try to modify it to achieve the end result you want.
What helped me during the exam was taking notes while I tested different payloads so I wouldn’t try what I have already tried. Obviously, you don’t have that much time so you have to be quick about taking notes as well.
Also, make sure to read through this page a few times as it gives out some information about the exam that can be crucial such as the below
If you use this to delete your own account or a core system component, you may make your exam impossible to complete.
Scanning everything with burp professional could potentially cause this issue if you get to the third stage…
The actual exam is a lot more complicated than the Practice exam
Taking the practice exam is definitely important to understand the concepts. However, you most likely won’t have the same vulns you saw in the practice exam. Reviewing all the labs you have done is the key.
While preparing for the exam, you should look at the practice exam and try to find which labs can potentially become one of the stages and create a cheat sheet with lab info & solutions.
It shocked me a bit how much the exam differed from the practice exam; I can’t disclose too many details but…be prepared.
Alright, that’s how much I can share about the exam. I’m glad I took this exam as it taught me how to be quick at finding and exploiting web-based vulnerabilities and going through the labs definitely taught me essential new skills.
Portswigger took a few business days to verify my result but I finally got the cert!