Burp Suite certification: a year in review
2022-7-27 16:56:8 Author: portswigger.net(查看原文) 阅读量:172 收藏

Emma Stocks | 27 July 2022 at 08:56 UTC

It’s been a year since we launched our Burp Suite Certified Practitioner exam, so we’ve been reflecting on some of the improvements and developments we’ve made across both our preparation materials and the exam itself.

What is the Burp Suite Certified Practitioner exam?

The Burp Suite Certified Practitioner exam is a practical, time-based exam designed to test your knowledge of common web vulnerabilities and your ability to exploit them using Burp Suite Professional. By gaining this certification you’ll be able to demonstrate to your peers, colleagues, and employers, that you have the ability and skills to:

  • Detect and prove the full business impact of a wide range of common web vulnerabilities - such as XSS, SQLi, OWASP Top 10, and HTTP Request Smuggling.
  • Adapt your attack methods to bypass broken defenses, using your knowledge of fundamental web technologies like HTTP, HTML, and encodings.
  • Quickly identify weak points within an attack surface, and perform out-of-band attacks using manual tools to aid exploitation.

Those who successfully pass the Burp Suite Certified Practitioner exam also receive a digital certificate to share with employers, and add to their career portfolios.

This was one of the best certification experiences I’ve had hands down. It definitely tests your knowledge of various web vulnerability classes along with your ability to chain them. For anyone looking to level up their web app testing skills (especially from a blackbox perspective), I would highly recommend this one.

So, what’s changed?

We've made small changes throughout the certification journey, each of which we hope will make it easier for people to work toward becoming a Burp Suite Certified Practitioner.

Exam length

Based on feedback from our users, and some internal testing, we've increased the length of the exam from three to four hours. Those who successfully completed the exam cited the extra time as a big help in identifying all the vulnerabilities needed to pass the exam, as well as giving them valuable extra time to plan their exploits and perform more effective recon.

Mystery lab challenge

Earlier this year, we launched our mystery lab challenge to put your recon skills to the test. As the name suggests, this new feature gives Web Security Academy users the chance to find and exploit vulnerabilities with no context or hints, exactly as you would when performing recon in a real-world testing environment. Why not have a go at the mystery lab challenge now?

Preparation feedback

We've also been busy gathering feedback from our customers who have already passed the exam, so we can hear their experiences and get their advice on how to best prepare for the certification journey. 

Taking our users' feedback on board, and knowing that we needed to provide a much clearer breakdown of the steps to take before attempting your exam, we've revised the guidelines on preparing for your exam.

Web Security Academy

Regardless of their level of experience, our Certified Practitioners highlighted the Web Security Academy as a key resource to prepare for their exam. On top of completing a lab from each topic, our new guidance now features a list of core labs you should focus on to support your preparation. These include:

  • Exploiting cross-site scripting to steal cookies.
  • Blind SQL injection with out-of-band data exfiltration.
  • Forced OAuth profile linking.
  • Brute-forcing a stay-logged-in cookie.
  • Exploiting HTTP request smuggling.
  • SSRF with blacklist-based input filter.
Just finished PortSwigger's new Burp Suite Certification. I've always been a big fan of the Web Security Academy and this is an excellent capstone on the labs.

Take the practice exam

Although the vulnerabilities in the practice exam don't change, several of our Practitioners said that they took the practice exam multiple times to get themselves fully familiar with the format. We strongly recommend that you continue to attempt the practice exam until you are successfully able to pass it within the given time frame.

If you get stuck during the practice exam, we advise revisiting the Web Security Academy to get more familiar with the format and vulnerabilities. When you feel ready, and more comfortable with the exploit techniques and vulnerability classes, then retake the practice exam.

Taking the exam has been fun as the challenges itself were absolutely fair and no guessing was needed.

Tips and tricks

Our Certified Practitioners had some other helpful advice, that we've broken down into the tips and tricks below:

  • Think about the techniques you're learning in the Web Security Academy to identify vulnerabilities. Remember, thinking sequentially will help your approach.
  • There's no harm in creating a cheat sheet to refer to during the exam. PortSwigger's XSS cheat sheet was also cited as a great resource to have to hand.
  • Use Burp Suite Professional's scanner and other extensive features - this is a Burp Suite Certification after all!
  • Although their is a time constraint, the most important thing is to keep calm and stay focused.

Think you're ready to take on the exam?

Check out our guide to what the exam involves to give you the lowdown on what to expect before heading in. We strongly recommend that you don't begin your final exam until you've not only passed the practice exam, but completed all the steps on our exam preparation guide. Don't forget, access to an active Burp Suite Professional license is required for the exam.

Taking the Burp Suite Practitioner exam was fun, especially when compared to other industry qualifications like OSCP. [The Burp Suite Certified Practitioner exam] actually helps with your day-to-day, and it doesn't require the weeks and weeks of studying that OSCP requires and the 24 hours it takes to complete.

Emma Stocks


文章来源: https://portswigger.net/blog/burp-suite-certification-a-year-in-review
如有侵权请联系:admin#unsafe.sh