Whenever there is down time between tests, it is a good time to improve at penetration testing and obtain a new certification. After working through PortSwigger’s Web Security Academy, the Burp Suite Certified Practitioner (BSCP) exam by PortSwigger is a great next step to test the knowledge gained from the course. While there are many certifications vying for a tester’s attention, the BSCP stood out as a certification with several benefits.
What is the BSCP Exam?
The BSCP exam is hosted by PortSwigger, the company behind the popular Burp Suite application that is used to proxy web traffic and manipulate it. This is the most common tool used for application penetration testing. The exam builds on the lessons taught in PortSwigger’s Web Security Academy and features two vulnerable web applications.
In both applications, individuals start as an unauthenticated user. From there, they must:
- Obtain a user account.
- Escalate to administrator privileges.
- Read and submit the contents of a file on the server located at /home/carlos/secret.
Unlike the Offensive Security Certified Professional (OSCP) exam hosted by Offensive Security, there is no room for error here; both applications must be solved in full to pass. As well, the BSCP exam runs for only four hours, leaving two hours to solve each machine if the same amount of time is spent on both. These points are unique to the BSCP examination as many exams allow some room for error and a longer examination period. This creates a challenging scenario, whereby users need to be adequately prepared to identify and exploit all the topics that can show up on the exam, with very little time to figure something out during the exam.
The cost of the exam is another major difference between the BSCP and other certifications. Each try at the BSCP exam costs $99, and the learning material for the exam is all available for free. This gives an unlimited study period with an affordable examination. In comparison, the industry leading OSCP qualification is $1500 + for a limited duration of access to labs and an exam attempt.
OSCP is often the go-to choice for a recommended exam to get into the penetration testing industry but with such high costs, it is often not feasible. The OSCP exam does cover web application testing; however, it focuses on infrastructure. Considering the majority of penetration testing work for most providers is web application focused, could the BSCP be a fairer and more accurate route into penetration testing?
Preparation
Though the exam may be difficult, PortSwigger provides an excellent learning environment to prepare for the exam. Even if one is not interested in trying the exam, anyone interested in learning web application testing should spend some time going through the labs available in PortSwigger’s Web Security Academy. The Academy does a thorough job of explaining each topic that may show up on the exam and provides labs to practice concepts after you learn them.
The Academy teaches you through practical labs which allows you to collect proof-of-concept (PoC) templates for each vulnerability that you learn. Saving the provided templates as they show up can save a significant amount of time on the exam. The same templates can also be used in real world situations and have been helpful for providing quick and concise examples of attacks to clients. Knowing how each attack works and being able to modify it for a given situation is critical to quickly working through the exam machines. It is helpful to have each PoC attack saved to a note and grouped by type for easy access, as well as keeping a link to the PortSwigger XSS and SQLi cheat sheets. These cheat sheets are thorough and often used by industry professionals.
Going through the labs also has the benefit of gaining familiarity with how PortSwigger likes to structure a vulnerability. Whilst the vulnerabilities in an exam may be tweaked from the original lab examples, many are structured similarly enough to provide a hint how to exploit them.
Stay Active
Performing active scanning against the entire application is a simple step that can save hours of time.
The active scanner can identify nearly every vulnerability in exam machines. The scanner will also provide a starting point to build an exploit from, which can skip the initial troubleshooting of preparing an exploit. It may also prevent falling down a rabbit hole if it identifies something unexpected.
Overall, it is a step that only takes two clicks. There’s no reason not to begin scanning a new page or new parameter found during the exam.
Search For What’s Different
Sometimes initial scans and checks will not reveal anything exploitable. In these cases, it is useful to remember that all the labs and exams are based off the same blog templates. What is different from that default template?
These can include new response headers like Cache-Control or Access-Control-Allow-Origin, unexpected content like an EventListener element, HTML comments, or unexpected pages such as a contact us page or a comment form. It can be helpful to have a shortlist of terms to search for in Burp Suite to identify these differences. If a term is found in responses from the server, it is probably a hint toward the intended exploit.
An initial list could include cache, access-control, eventlistener, message, <!–, //, eval, and innerhtml. Include any elements that seem useful through the lab.
Know Your Other Tools
It is crucial to understand other tools and what environment is required for them to work. Take the following example:
You have gone through the first two steps of your exploitation process, and you have discovered an insecure deserialization vulnerability. You know that you can use the popular tool ysoserial to exploit the vulnerability. However, you do not know the syntax required to use the tool, nor the environment that is needed for it to work.
If the tool was previously configured and understood, the exploitation process should take only a few minutes. If the tool has not been configured already and a user has to find out that ysoserial does not play nicely with updated versions of Java during the exam, this could cost a significant amount of time when there is no time to spare. Luckily, the labs should prepare users for pitfalls like this, as ysoserial needs to be set up to successfully complete the Java deserialization labs.
Similarly, having a strong familiarity with sqlmap could help save time and solve tricky SQL injections. Along with active scanning everything, anytime a SQL injection vulnerability is identified, the request can be copied into a file and sqlmap can be run against it. It takes less than a minute to set up and may exploit a SQLi vulnerability on its own.
Finally, configuring Burp Suite with extensions will help with niche problems if they show up on the exam. JWT Editor and inQL are both helpful for JSON Web Tokens (JWTs) and GraphQL respectively, and Param Miner, Turbo Intruder, and Hackvertor provide quality-of-life improvements and general functionality that may help enumerate vulnerabilities.
The BSCP Versus Other Certifications – What’s the Best?
Now the most important question: Is the certification worth obtaining in comparison to other certifications?
Let’s start with the pros of the BSCP. If you are interested in web application testing, there is no better starting point than the Web Security Academy provided by PortSwigger. If you are already going to go through the labs, the BSCP is a great end goal to solidify that knowledge. PortSwigger lets you be flexible since the labs are free to use and you do not have to commit in advance to taking the BSCP. If you want to work through the Academy and then choose to complete a different certification, you do not have to spend the money up front for the studying material, unlike other certifications. The BSCP is also a fraction of the cost of any other certification for a similar amount of gained knowledge. The cost of Offensive Security’s OSWA (not to mention SANS GWAPT) is a lopsided comparison, but even comparing it against cheaper web certifications like HackTheBox’s Certified Bug Bounty Hunter or TCM Security’s Practical Junior Web Tester shows the BSCP is an outlier. As a web application tester already working through the Academy, the BSCP seemed like an obvious choice to try—even if you do not pass, it is only $99, so why not give it a try?
What are the cons for the BSCP versus other certifications? The most important thing people look for in a certification, particularly when they are just starting out, is whether that certification will help them land a job. While the knowledge gained from the Web Security Academy will help you perform better in interviews, it is unlikely it will directly help you land an interview at this time. Browsing job boards makes it clear that the certifications that HR departments are looking for are OSCP and SANS certifications. If you do not have the OSCP and want to improve your chances of being hired, start with obtaining the OSCP and work on the BSCP and PortSwigger Web Security Academy labs afterwards.
Despite this flaw, PortSwigger is a big name in cybersecurity, and name recognition can go a long way. The BSCP may never be elevated to the status of a certification like the OSCP, but there is a gap in the industry for an entry-level web application certification for hiring departments to look for, and owning Burp Suite gives PortSwigger an advantage. As well, if your resume can make it past HR, any penetration tester involved in the interview process will have more familiarity with PortSwigger than with other companies.
Overall, the BSCP’s excellent learning materials and extremely low cost speak for themselves. Anyone interested in web application testing should consider going through PortSwigger’s Web Security Academy and obtaining the BSCP.
