Sans 542 and GWAPT Review

I recently finished the OnDemand version of the SANS 542 Web App Penetration Testing and Ethical Hacking course and passed the GIAC Web Application Penetration Tester (GWAPT) exam so I thought I would post a few quick thoughts on the course and exam.

It’s more than a little redundant to say a SANS instructor did a great job but Kevin Johnson rocked. I was slightly biased coming in as I talked to him for about 90 seconds last year in Vegas and he was really friendly but even setting that massive amount of personal experience aside Kevin is both incredibly entertaining and a great teacher. I really want to take a class from him in person so I need to keep my eyes peeled for any 642 offerings out west.

Mr. Johnson is very upfront about what the class is and isn’t. While there is a full day devoted to exploitation the class is not a collection of “Here’s exploit A, now here’s exploit B…” but rather an overall look at web app pen testing methodology and best practices as a whole.

What this class won’t give you:  “If they’re using WordPress version 3.2 I’ll use exploit X but if they’ve upgraded to 3.3 I’ll use exploit Y”

What this class will give you: The ability to properly examine a website, determine the underlying technologies, give you an understanding of possible attack vectors based on your earlier findings and expose you to the tools to help you locate these vulnerabilities and attempt to exploit them.

It really boils down to the old give a man a fish vs. teach a man to fish thing and I’m extremely happy this class takes the approach they do. The SANS website course breakdown is accurate so there’s no need for me to give a play by play on what was covered but you will learn concepts to test both specific types of technologies (AJAX, Flash, Javascript etc.) and technology independent design and logic flaws. The course also covers using Python scripts to help automate your testing.

I had played with a lot of these tools and been exposed to a lot of the concepts from earlier courses and practice but the 542 did a great job of providing a systematic approach and a barrel full of real world stories which tie concepts taught in class to practical applications. As penetration testing is a hobby rather than a daily job for me I greatly enjoyed and appreciated these.

Regarding the test, it’s short and I loved it! The test is 75 questions long and you have two hours to complete it. I finished with 30 minutes left and got a score in the low 90s so it’s very doable.

My GWAPT index was quite a bit shorter (7-8 pages) than a lot of my previous indexes but it honestly wasn’t a matter of laziness as much as it was the material didn’t seem to lend itself to a fat index as well as other courses have. During the test I never looked for a topic in my index and came up empty so mission accomplished.

There were definitely questions on the exam which required me to understand multiple concepts rather than just reference a particular page. I’m perfectly ok with that if the tradeoff is a two hour enjoyable test instead of a five hour exam that has me questioning my life choices towards the end. I hope more classes go to the shorter exam format.

In summary I enjoyed the course, learned a lot, passed the test and had a good time doing it all.

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de-ano
Read more

Automating Domain Squatting Detection with DNSTwist and Python

Image
  There’s a good chance that, at some point, you’ve received a spam email with a link that looked close to the name of a popular domain but was just a little off. Payapl.com instead of Paypal.com or similar. Domain squatting is a malicious activity where attackers register domain names similar to legitimate ones. Attackers may use these domains to deceive users into believing they are visiting a legitimate website, which can lead to phishing and other attacks. DNSTwist (available here: https://github.com/elceef/dnstwist ) is a popular tool that helps identify domain names that are similar to a given domain name. It generates a list of potential domain names by applying various fuzzing techniques to the given domain name and then checks if these domains are registered. Check out the list of Bank Of America copycat domains: DNSTwist is an amazing tool that should likely be a part of every organization's Cyber Threat Intelligence monitoring efforts, and I wanted to automate it
Read more