Practical Web Pentest Associate Review!

Disclaimer: This write up is coming from a non-technical perspective targeted towards non-technicals. I will avoid speaking too technical as it will get boring really quick.

Web apps are the most commonly used piece of software that runs on your web browser as it is the first layer in user interaction whenever you visit a website. It is used by many businesses, including this one, to exchange information and deliver services remotely with secure practices.

These services include shopping carts, search filtering, instant messaging, social media newsfeeds and password managers are common examples of web applications. To summarize, the user will not have to install any additional software or configure anything since all of the needed functionality is ready by design in the web application itself.

Since it is the front facing part of any system it is a target for attackers to start scanning and enumerating the website to search for weaknesses, eventually leading to exploiting the vulnerabilities in order to gain an initial foothold of the system.

A lot of the most common ways to attack a website or vulnerabilities is covered by the OWASP Top Ten. This list is updated by the community for developers and web application security enthusiasts. As long as you know what the attacks do, you can use the OWASP Top Ten as a reference guide or checklist of things to do.

The main reason why I decided to learn about web application attacks was to understand how to gain an initial foothold whenever I am facing a specific web application in a machine.

Furthermore, whenever there was a machine where the web application was the first software to attack, I did not know what to do or lookout for. Certainly, you can say that it is a weakness that I needed to strengthen. The questions that I was asking when faced with a web application were;

1) What do this web application do?

2) What do I need to check first?

3) What is the methodology to find vulnerabilities?

4) If I do find a potential vulnerability, how do I exploit it?

There are a lot of web application courses out there in the internet that varies from content delivery, content duration and most importantly the price. Having had a good experience with TCM Security after taking their previous examinations and courses (PJPT & PNPT), I went ahead purchased the what was back then known as the Practical Junior Web Tester Certification Exam.

The Practical Web Pentest Associate (PWPA) Exam was introduced in late 2023 by TCM Security where it is a 4-day exam split into 2-days of finding exploits in the web application and the rest of the 2-days are used for writing the report. When purchasing the exam, students are provided with the following materials for only USD$249;

1. Practical Bug Bounty Course that is taught by Alex Olsen

2. Hands on Lab

3. 1x Exam Attempt & 1 Free Retake

Let's start with the Practical Bug Bounty Course, I felt the course definitely delivered as Alex explained everything clearly from a beginner’s point of view. The OWASP Top Ten is heavily mentioned throughout the course whereby each section or topic is broken down based on the top ten. Within each section there are challenge labs that you can do by yourself and Alex provides a walkthrough of how to go through the challenge labs.

This exam is aimed at beginners and those that are interested in getting started to about web application attacks, but it is also a good refresher for those that are experts in web application attacks. Although TCM Security labels this as a beginner level exam, it was still a challenge, required a lot of practice and I do recommend extending your learning materials outside of the course provided.

My background is mainly on server/network penetration testing as I have mainly been doing machines from Offsec’s Proving Grounds, TryHackMe and HackTheBox that do provide some web application attacks but the main bulk of the attacks focus on lateral movement and privilege escalation. In other words, the methodology would always be the following;

Scanning & Enumeration > Gain Initial Foothold > Lateral Movement > Privilege Escalation > Administrator (Owning the System)

This methodology cannot be applied when you are taking the course and later on the exam as the main goal is not necessarily to root the system but it is actually to find all vulnerabilities. I learned this the hard way where I failed on my first attempt because I was trying very hard to find an exploit that could be used to gain remote access of the simulated web application. This was clearly stated in the Rules of Engagement that "you need to find all vulnerabilities" which I did not fully read. With that here is a tip for you, the methodology would instead be;

Scanning & Enumeration > Find Vulnerabilities > Report

Thats it! By examining the OWASP Top Ten you can carefully build a methodology of what to look out for in a web application.

Once you identified all vulnerabilities of the web application, a professionally written report will be to be submitted to the TCM Security team. Your report will determine if you pass the exam or not therefore please make sure to write the report based on what was stated in the Rules of Engagement.

To conclude this write up, I felt that the Practical Web Pentest Associate exam not only validated my skills in web application penetration testing but also taught me a different methodology in attacking the front-facing part of a machine. Utilizing the OWASP Top Ten list as reference was a key part as well where it acted as a checklist of vulnerabilities that may be present in a web application.