Hey everyone! It’s me again — the guy behind JWTAuditor, which many of you showed love for (thank you, seriously 🙏).

But this time, I’m not talking about JWTs. This post is about something that had me pulling my hair out (and drinking way too much chai), the Burp Suite Certified Practitioner (BSCP) exam.

Some people call it the OSCP of Web — and honestly, I wouldn’t argue. It’s tough, intense, and has that same “capture the flag or cry trying” vibe.

You get two apps, six vulnerabilities, and just four hours to prove you can think like a hacker.

This is my personal review how I prepared, what I learned, and some very practical tips you should keep in mind.

🎯What is BSCP?

The BSCP is an official and only certification offered by PortSwigger, the folks who built Burp Suite. This cert isn’t about theory or multiple-choice nonsense. You get two real-world-style web apps, and your job is to break into them.

🧪 Here’s what the exam looks like:

• 2 web apps
• 3 stages per app

1. Get access to a user account
2. Escalate to admin or reach the /admin panel
3. Extract the contents of /home/carlos/secret

• Time: 4 hours
• Score needed: All six flags = Pass
• Cost: $99 USD per attempt
• Needs: Burp Suite Professional (licensed)

That’s it. No PDF report. No Viva. Just you, your Burp Suite, and Carlos’ poor, insecure website.

📚 My Preparation

Let me be honest — this isn’t a cert you walk into blindly.

I spent a few weeks with PortSwigger Web Security Academy, which, by the way, is hands down the best free web vulnerabilities resource out there. And no, they’re not paying me to say this.

Here’s what I actually completed:

• ✅ All Apprentice-level labs
• ✅ Around 50% of Practitioner-level labs
• ✅ A few Expert-level labs (until my brain gave up)
• ✅ The Exam Preparation Path — DO NOT SKIP THIS

The prep path includes mystery labs and a practice exam that mimics the real exam. I genuinely believe that if you can solve those comfortably, you’re more than ready for the actual exam.

🧠 The Exam Strategy (What Worked for Me)

Here’s my honest take on what helped me crack it:

1. Don’t look for OS Command Injection on the login page: Start from the basics try to get into a user account first. The exam has a logical flow and required first step to be completed before going on the second one. If you jump to the big exploits early, you’ll just waste time.
2. No directory brute-forcing needed: I didn’t run gobuster or ffuf even once. If needed, use Burp’s Content Discovery tool that’s more than enough.
3. Intercept and analyse everything: Seriously. Watch every request, every parameter. The vulnerability is almost always hiding in plain sight.
4. Lab patterns repeat you’ll start recognising them: For example: Advanced search filters often has SQL injections, or search boxes reflect your input → test for XSS or SSTI. Lab practice builds that sixth sense.
5. Two users minimum: Every exam app will likely involve Carlos and an Administrator. Use the Academy’s default wordlists of username & password brute-force attempts. Don’t overthink this stick to what worked in the labs.
6. Don’t mess with lab or lab-analytics cookies: These are for exam functionality. Don’t waste time trying to tamper with them — you’re barking up the wrong tree.
7. Maintain a personal cheat sheet: During prep, I made notes for:

• XXE payloads (external DTDs, file reads)
• Deserialization (Keep Ysoserial handy)
• SQL injection (null-based, blind, error-based)
• SSTI (Jinja2 tricks, etc.)
• Cookie manipulation examples

Keep them ready. In the exam, you don’t have time to Google every payload.

8. Scanner & Intruder are your best friends (if used right): Suppose you found a reflected input — set up Intruder, define the insertion point, and run a targeted scan (XSS, SQLi only). Don’t go full-blast with all checks — it’ll just slow things down.

9. Assume misconfigurations. Try “stupid” things: I ignored a bypass because I thought, “No way this will work.” Guess what? It worked.

Remember: It’s a deliberately broken lab. So even “dumb” things can be valid exploits.

📝 My Exam Experience

I chose to take the exam on a weekend because what better way to spend your Saturday than trying to hack into Carlos’ poorly built web apps for four straight hours, right? I made sure my setup was ready: a fresh and focused mind (heavily supported by endless cups of coffee), payloads, and random observations, Burp Suite updated and customised to my liking.

As the exam started, I took a deep breath and dived in. Both applications followed the exact structure I’d seen in the Exam Preparation Path which was a huge relief.

No crazy rabbit holes, no unexpected CVEs just good old-fashioned web security bugs. SQL injections, broken access controls, IDORs, privilege escalations and much more the kind of things that feel familiar if you’ve put in the hours on the Web Academy. The key was chaining them logically and not wasting time going down overcomplicated routes.

I managed to finish all six tasks with about 50 minutes to spare, which I used to double-check my steps and replay a few requests to be absolutely sure. I made a requests groups in repeater for app1 and app2 although not necessary but that’s what I thought is a good project file means. I have all the intruder logs saved to my project as well.

I zipped the project file. Once done, I clicked submit with my fingers crossed and then began the wait.

After one long day of refreshing my inbox like a madman, the result finally arrived: PASS. 🎉 It was equal parts relief and joy and I might have done a little dance in my chair, not going to lie.

Useful Resources

Make sure bookmark them along with your lab solution notes:

🧾 Final Words

This exam isn’t a trick game. It tests how well you’ve done the Academy labs. Nothing more, nothing less.

Don’t treat it like a guessing game or a CTF it’s not. Treat it like a real-world assessment where you:

• Think logically
• Work step-by-step
• Use Burp like an extension of your brain

If this helped you or made you smile, drop a comment or DM me on LinkedIn. I’m always happy to talk bugs, Burp, or bad filter bypasses. Until then — hack smart, not hard.