As some may be aware, in January 2015 I started the SANS ‘SEC542: Web App Penetration Testing and Ethical Hacking’ SelfStudy course. I passed the GWAPT (GIAC Web Application Penetration Tester) certification at the end of May; so I figured I would write up a review of the course and summerise my experience.
- The Attacker’s View of the Web
- Reconnaissance and Mapping
- Server-Side Discovery
- Client-Side Discovery
- Capture the Flag
SEC542 was designed to be delivered in the traditional classroom style, over the period of 6 days. Each syllabus area is covered in roughly 1 day.
The course material is covered with a number of different mediums. The SelfStudy student receives:
- Audio Recordings (Online)
- Data DVD (containing 2 VM’s)
- VPN Certificates
The audio recordings are taken from a live delivery of SEC542 and the ‘books’ are bound print-outs of the instructors Powerpoint Presentation. The idea is that you listen to the instructor and follow along with the slides. Each page is dedicated to a slide, with space to make your own notes etc. The online recordings can only be accessed for a period of 4 months from your start date; but you could actually download them for offline use (there is no built-in functionality in the portal to do this, but we’re hackers, right…?).
The DVD contains 2 virtual machines, but unfortunately they are only in VMware format and not something more universal. SANS stipulate that you require VMWare Player 3.x, VMWare Workstation 7.x or newer or VMWare Fusion. But I was using VirtualBox on a personal Mac, for which I have not bought Fusion. Therefore, I had to convert the VMs using a trial version of Fusion.
The first VM is a customised version of SamuraiWTF (that stands for Web Testing Framework people!), the second is an Ubuntu VM with lots of additional vulnerable applications installed on top. So these are your ‘attacker’ and ‘victim’ VMs, which are used for all of the exercises throughout the course.
This seems like a good time to mention that even though SANS advertise to have a virtual lab as part of this course, it is only used for the CTF at the end.
This whole setup works ok for the most part, as you could transfer everything to a laptop and do bits of the course ‘offline’, which some people may find convenient. However, I did experience a few niggly issues. There appears to be a few instances where the slides/audio vary from the exercise on the VM, as if the material has been updated but the VM hasn’t. For me, this led to a few situations where some of the exercises weren’t working as expected; and because you can’t ‘see’ what the instructor is doing it obviously makes it hard for you to confirm what you are doing is correct.
The syllabus areas above are rather broad statements, so which topics are actually covered? Well, a lot… To list the major ones:
- Information leakage
- Username harvesting
- Command injection
- SQL injection (inc. Blind)
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Session issues
- Client-Side Vulnerabilities (inc. Flash, Java, AJAX)
- Coverage of Tools (inc. BEEF, ZAP, BurpSuite)
This is a lot of information to digest, so you may not be surprised to hear that SEC542 is not designed to cover any of these areas in any serious depth. It is certainly more of an entry level course.
Capture the Flag
You can connect to the lab via VPN at any time during your 4 months of access, where you can practice all of the techniques covered in the course. It’s more of a consolidatory exercise in my eyes, rather than a necessity of the course. How much benefit you gain from it is going to be personal to you.
The GIAC Certification attempt is an optional extra when purchasing SEC542, so you can take the course and not attempt the certification if you wish. The exam for the GIAC Silver Certification is a multiple choice test, where you must travel to a proctored test centre to complete.
What I did like, is that you get 2 free practice exams in your SANS portal, which you can take from home/work/wherever. You can customise it to tell you when you get a question wrong, and it gives you a pretty good explanation as to why and what the correct answer was. You can also make it tell you why you got a question correct (which is useful if you just happened to guess a question right).
At the end of the practice test it gives you a 5-star rating for the different topic areas, so you can identify your strongest areas and those where you may need to put more revision into.
Both the practice and actual exams give you a checkpoint of your progress at set intervals (I think it’s every 15 questions), so you can see if you are above or below the pass mark (which is 70%).
Oh yeah, and it’s open-book… You can take in all of the course slides, or any other paper resource (that could even include something like the Web Application Hackers Handbook). You have a maximum time of 2 hours to complete the 75 questions, but since the course slides for example have no content or index pages there is a potential for you to waste a lot of time looking for things if you rely on them too much.
This actually makes the exam sound really easy, but there is a level of comprehension required as the information from the course can’t just be lifted and applied to the exam questions.
Passing the exam gives you a ‘silver’ certification, but if you fork over another ~$600 to SANS you can attempt the ‘gold’ certification. This involves writing a paper/technical report with guidance from a SANS Advisor which will then be published in their Reading Room.