Hello All!
I recently passed eLearnSecurity’s eWPTX & as promised (to myself and you) that I would write a non-biased, thorough review of my entire journey. Honestly reviews are crucial to all of us, we rely on them to help us come to a decision on whether a course or cert is worth it for us. I wanted to continue paying it forward! Some chronological history sets the stage for us:
2/2017 – Yay! My first security certification #CEH
5/2017 – Whoa (gasps for air) this was a nice ride #GPEN
11/2017 – You’re insane – a hell of a year #OSCP
1/2018 – I had taken a well deserved month off break and when I returned I felt lost. After OSCP for 60 days you almost become a machine, you yearn for complex challenges every single day. I desperately needed an official course w/ structure and quality content. After shopping around (reading others reviews) I decided to push the button on eWPTX. Web Apps always have been my favorite & OSCP was lite on them so I figured I could beef-up and become web app ninja. Note: I already understood all web app vulnerabilities and hacked a bunch. This is why I selected the Extreme version of the course. I was only concerned w/ advanced versions of the attacks I was familiar with already.
5/2018 – Man! This course isn’t the cheapest in the world especially paying out of pocket. But I made a deal with myself that I would NEVER limit my learning via the number on a pricetag. I think any investment into yourself is priceless! A man still has bill & responsibilities though. So the good folks at eLeanSecurity actually have a payment plan, you break the price up into third’s. After the initial payment ~450 USD you get access to the first third of the course content, so on and so fourth. I thought this is was really nice gesture (unusual almost). Thank you eLearnSecurity! This had a positive side effect. Myself, and I’m sure many of you reading this, have issues following a linear progression. This is because some topics are bound to be more interesting than others. A topic on SQL Injection will 10/10 always beat a topic on DoS for instance. So you tend to bounce around and unfairly devote more time to the things that are most appealing to you. Since I only had access to the course in so-called blocks it was impossible for me to bounce around lol! I could see the material but couldn’t access it. Anyways onto the meat and potatoes:
eWPTX Module 1: Encoding and Filtering
The course begins explaining all the layers to web apps and how data is interpreted and processed by each. These topics will be recognizable by even the most jr of guys, as in base32/64, URL, Unicode, and HTML encoding. An in-depth section on all of these, so instead of being able to recognize base64, you manually learn how the blocks are constructed. Things move on to filtering with deep dives in Regular Expressions, WaFs and client-side filters. I appreciated this module because it really gave substance to things I thought I knew already but in hindsight I only had surface level knowledge and that it.
eWPTX Module 2: Evasion Basics
I’ll start off by saying there was nothing basic about this module! OMG! I learned some of the “narliest” things in my life, right here. Trust me, a module has to be pretty darn good to be a favorite and it’s not even on a specific vulnerability. The typical base64 encoding is here also, but you’ll jump into obfuscation in regards to URIs PHP and JS. The piece on non alphanumeric PHP obfuscation and JS blew my mind. Literally I lost it. Invaluable module.
eWPTX Module 3: Cross-Site Scripting
Yay! Some specific vulnerabilities! This starts out w/ the proliferation of XSS and how wide-spread it is. This module gives the student all the historical context behind of XSS. I loved this. It continues to describe the variations of the attack, and then what you can leverage w/ an XSS attack. Sidenote: I remember early in my career downplaying the risk of a XSS attack (any type), don’t be like me, this ignorance was from lack of knowledge. The module continues with relevant recent attacks and types of things you can leverage via XSS. For example, Cookie Grabbing (no shockers there), Defacement, Phishing, Keylogging & Internal Port Scanning. If someone ask you “What’s the worst you can do with an XSS?” look at them and laugh. Alright, so I know personally we always use alert(1) or a variation to prove XSS. After the course I see why many folks don’t understand the true risk behind it. Instead of thinking cookies, think JS, any JS, all JS. Instead of alerting, you could include your external JS to do whatever the hell you want.(Example?) Submit XHR request, steal the CSRF token, submit another XHR request updating a profile via a XSS and bypass SOP?. Now you’re on to the correct thinking!
eWPTX Module 4: XSS – Filter Evasion and WAF Bypassing
Ok with the student adequately equipped via Module3: the course burns through an insurmountable amount of evasion techniques, many that I’d never see or read about before. The content is very relevant and recent. It starts off w/ beating sanatization, blacklist filters, and browser security filters. I won’t include any of the techniques or examples. You have to purchase the course for that. A little bit to whet your appetite, you’ll learn thousands of ways of constructing string i.e from charcode, using JS constructors, bypassing filters for XSS in event handlers, bypassing filters for XSS that may check for quotes, do you know how to bypass a filter checking for parenthesis? This left me so hungry! But I had to wait 12 more days until my 2nd payment cleared to get access to 2nd third of course. I revisited each one from the beginning.
eWPTX Module 5: Cross-Site Request Forgery
Historical understanding of the vulnerability and the basics I’m sure we all know already. What it is, what can it be used for? Beyond that, the attack vectors I enjoyed! You’ll learn how to exploit non-existent CSRF mechanisms as well as bypass weak ones. The student should spend time to understand all the browser security frameworks it can’t hurt. The most interesting parts for me was using Burp Sequencer to analyze token entropy, discover poor randomness and then brute force it using XHR request. So you if you have 10 unique tokens then firing off 10 request in succession – one of your request is definitely going to get accepted! What happens if it 100 tokens instead of 10? eLearnSecurity dropped HTML5 Web Workers on us. OMG – Why are you still reading, get your credit card and purchase this course!
eWPTX Module 6: HTML5
The weakest module in my opinion. It discussed all the new features and historical context of the web overall and what it’s evolved to. Onto some new exploitation techniques since HTML5 includes new tags it introduces more vectors for potential attacks, and definitely bypassing anything that isn’t aware of these new implementations.
eWPTX Module 7: SQL Injection
Always everyone’s favorite (my 2nd – my ultimate treat in this course is yet to come) you’ll get all the information you need to understand the attack, learn how to exploit it for every Database! Not just MySQL. Then on to a new variation that I learned for the first time in this course. 2nd Order SQL Injection! Think normal SQLi where you inject some payload, affect the backend query, and the web app returns what you asked for. But a “level up” version. In this scenario, you inject a payload into the database that isn’t immediately used, so you get no response. It takes a further action within the app to trigger your original payload and return your result. A simple example is injecting into a vulnerable name field on a registration page, let’s say you login w/ email and password, and inside your profile page, a query runs to retrieve your name from the DB, but guess what your name is in the DB “‘>ascii(substr(version(),1,1)#” … So what’s going to happens? Pwnage! That’s what’s going to happen!
eWPTX Module 8: SQLi – Filter evasion and WAF Bypassing
Similar to the XSS bypass module, you’re learning about DBMS gadgets, bypassing keyword and function filters. Again, hundreds of new techniques that are just 1337! Comments,Intermediary Characters, Strings, Integers, Type conversion.
eWPTX Module 9: XML Attacks
My favorite! A little bias here though because XXE was the first newer attack that I discovered on my first official solo pentest. I’ll never forget that! You’ll get a great recap on XML standard and how it was derived and it’s comparison to HTML. The module include XML tag injection, XXE, XEE, and Xpath Injections! It’s a big module with a bunch of great content. I actually new nothing about XEE or XPath before this course. I guess this is how you end with a bang!
eWPTX Labs:
There are labs for all the vulnerabilities discussed except HTML5 and you’re required to utilize all techniques learned in the encoding and bypassing chapters. VPN connection to the lab and adding the DNS server is all you need to get started. The labs are NOT easy! As always it’s good to fight as hard as you can and not look at the solutions. Challenge yourself to thing harder, go back over the module, check out the related videos and think more. I also encourage you to solve things multiple ways. For instance in the XSS lab you could defeat one using svg tag, or script tag using native JS and unicode encoding, or script tag with hex encoding, or hex, unicode and octal.It’s endless lol! Labs are quality.
eWPTX Exam:
So the great thing about self paced courses is you don’t get dinged if life happens. So I got married in the middle of this course, came back and didn’t really touch the course for a month. When I did I started completely from the beginning. I think a good part of this learning thing, is not lying to yourself and breezing through things your barely understood – but read. In addition, have the discipline to read things over and over again with the same scrutiny and amount of intrigue as your first time. So I signed up for the exam after this last time going through entire course. I won’t give specifics to preserve the integrity of the exam. The scope was vaguely here’s a domain and a few web servers, find everything you can, document it and submit a professional report. Again, eLearnSecurity got it right here tailoring the exam to an adult with a life and career so you get 7 days to hack and 7 days to report. Within 4 days I had felt I found everything I could, wrote the report and submitted it. *sits back and grabs popcorn*
4 days letter I finally got the email from eLearnSecurity that I had been stalking my inbox and each email for!
LOL! That’s what I get for being fast – a BIG FAT FAIL
I’ll admit this shocked me but eLearnSecurity gives you a free retake w/ feedback as you can see. So I immediately new where to start looking for the vulnerabilities I had missed. In this case they did a TREMENDOUS job at making a tiny app seem so innocent in reality this was one of the trickiest and most buggy apps I ever came across. Kudos! I found 2 more injections within like a hour and resubmitted my report. My wife thought I was stupid for doing this lol telling me that’s why I failed 1st time for rushing and even on a retake with 7 more days, I submitted in less than 4 hours after the feedback LMAO! I’m not sure if she was wrong but I know myself. Confidence is key. About 6 hours later here’s what I see
Fun experience and I learned alot. Major shoutout to my boy Prasanna & Mohammed I owe you guys beer. Major shoutout to the Dimitri the eLearnSecurity admin!
eWPTX Kinks:
Content wise I can’t complain – I would have like to have labs on HTML5 instead of just theoretical module since I learn my best by failing and trying again.
In the exam you get 5 resets per 24 hours unfortunately some of your attacks will essentially break the apps making it unstable for testing. Forcing you to reset and reset and reset again. If you run out you can test other portions of the app but I wish this didn’t happen. This was the only thing I found aggravating & obviously at the wrong time lol.
