Emma Shares | July 27, 2022 at 08:56 UTC
It’s been a year since we launched our Burp Suite Certified Practitioner exam, so we’ve been thinking about some of the improvements and developments we’ve made to both our prep materials and the exam itself.
What is the Burp Suite Certified Practitioner exam?
The Burp Suite Certified Practitioner exam is a time-based practice exam designed to test your knowledge of common web vulnerabilities and your ability to exploit them using Burp Suite Professional. By earning this certification, you will be able to demonstrate to your peers, colleagues and employers that you have the ability and skills to:
- Detect and prove the full business impact of a wide range of common web vulnerabilities, such as XSS, SQLi, OWASP Top 10, and HTTP Request Smuggling.
- Adapt your attack methods to circumvent broken defenses, using your knowledge of fundamental web technologies such as HTTP, HTML and encodings.
- Quickly identify weak spots in an attack surface and perform out-of-band attacks using hand tools for ease of exploitation.
Those who pass the Burp Suite Certified Practitioner exam also receive a digital certificate to share with employers and add to their career portfolio.
It was one of the best certification experiences I have had by far. It definitely tests your knowledge of the different web vulnerability classes as well as your ability to string them together. For anyone looking to improve their web application testing skills (especially from a black box perspective), I would highly recommend this one.
So what has changed?
We have made small changes throughout the certification journey, each of which we hope will make it easier for people to become a Certified Burp Suite Practitioner.
Based on feedback from our users and some internal testing, we have increased the exam duration from three to four hours. Those who passed the exam cited the extra time as a great help in identifying all the vulnerabilities needed to pass the exam, as well as giving them valuable extra time to plan their exploits and conduct more effective reconnaissance.
Mystery Lab Challenge
Earlier this year, we launched our mystery lab challenge to put your recognition skills to the test. As the name suggests, this new feature gives Web Security Academy users the ability to find and exploit vulnerabilities without context or clues, just like you would when reconnoitring in a real test environment. Why not try the mystery lab challenge now?
Comments on the preparation
We’ve also been busy gathering feedback from our customers who have already passed the exam, so we can hear their experiences and get their advice on how best to prepare for the certification journey.
Taking into account the feedback from our users and knowing that we needed to provide a much clearer breakdown of the steps to follow before attempting your exam, we have revised the guidelines on preparing for your exam.
Web Security Academy
Regardless of their level of experience, our Certified Practitioners have highlighted the Web Security Academy as a key resource in preparing for their exam. In addition to completing a lab on each topic, our new tips now offer a list of core labs to focus on to help you prepare. These include:
- Exploit cross-site scripting to steal cookies.
- Blind SQL injection with out-of-band data exfiltration.
- Forced OAuth profile binding.
- Brutally force a cookie to stay logged in.
- Exploitation of HTTP request smuggling.
- SSRF with blacklist-based input filter.
I just completed the new Burp Suite certification from PortSwigger. I’ve always been a big fan of the Web Security Academy and it’s a great cornerstone of the labs.
Pass the practical exam
While the practice exam vulnerabilities do not change, several of our practitioners said they took the practice exam multiple times to become fully familiar with the format. We strongly recommend that you continue to attempt the mock exam until you manage to pass it within the time limit.
If you get stuck during the practice exam, we recommend revisiting the Web Security Academy to familiarize yourself with the format and vulnerabilities. When you feel ready and more comfortable with the exploitation techniques and vulnerability classes, retake the hands-on exam.
Taking the exam was fun because the challenges themselves were absolutely fair and no estimation was needed.
Tips and tricks
Our certified practitioners had some other helpful tips, which we’ve broken down into the tips and tricks below:
- Consider the techniques you learn at the Web Security Academy to identify vulnerabilities. Remember that sequential thinking will help your approach.
- There’s no harm in creating a cheat sheet to refer to during the exam. PortSwigger’s XSS cheat sheet was also cited as a great resource to have on hand.
- Use Burp Suite Professional’s scanner and other extended features – it’s a Burp Suite certification after all!
- Although it is a time constraint, the most important thing is to stay calm and focused.
Think you’re ready to take the exam?
Check out our guide to what the exam entails to give you an idea of what to expect before you get started. We strongly recommend that you do not start your final exam until you have not only passed the practical exam, but completed all the steps. on our exam preparation guide. Remember that access to an active Burp Suite Professional license is required for the exam.
Taking the Burp Suite Practitioner exam was fun, especially compared to other industry qualifications like OSCP. [The Burp Suite Certified Practitioner exam] actually helps with your daily life, and it doesn’t require the weeks and weeks of study that OSCP requires and the 24 hours it takes to complete.