Less than 2 months ago I sat for SEC542 at SANS East in New Orleans, and this past Friday I sat for the GIAC Web App Penetration Tester exam and passed with a 97%.
My goals and background. My purpose for taking this course and exam was to gain more experience and comfort with web app pen testing methods. I’ve worked in web server/client environments as a sysadmin and security admin for many years, and I’ve had some exposure to web offense tactics and tools from the PWK/OSCP days and from various HTB boxes as well. I’ve not made or maintained any “modern” web sites, but I have some web coding experience back in the painfully early years of the web and feel comfortable reading or tinkering with most preexisting code. Going into this course, I already knew some of my weaker points: I am not entirely confident with SQL and sqlmap; my exposure to Burp Suite seemed limited (and exposure to ZAP being nil); and I also had not done much with Python in regards to requests and web work.
It speaks more to myself than to the course that I probably overestimated the material a bit (or underestimated what I already know). Pretty much across the board, with my offensive experience above I had probably seen and performed most of the attacks that we went over. That said, my weaknesses listed above were largely addressed. But, beyond working more with Burp, ZAP, sqlmap, and python, I really ended up being somewhat ready to move past this material. Now, that’s not to say I’m ready for advanced stuff, but I think it might be more accurate to say I’m ready to gain more progressive hands-on experience with testing web apps, either live or vulnerable testing apps.
My study process. After taking my first SANS/GIAC exam last year, I formulated what I would expect to be my repeatable process for studying for future exams. But, for SEC542, I definitely deviated from that process and skipped quite a few things. Once getting back from class, I started skimming through the material, doing a first pass on highlighting key terms and concepts. I have a process of highlighting tools and external resources that are tool-like, like cheatsheets, with an orange highlighter, terms and definitions and concepts with a green highlighter, and I underline in pen anything else useful so that they catch my eyes when I’m looking for answers later. If a topic continues on the next page, I put a highlighter arrow to the next page.
After that, I worked through all of the labs again, which I admit, was a very quick breeze as none of the labs are really that complicated or long. In doing so, I also highlighted information in the Workbook just like I did the other books.
The index process. Next, I started work on the index. Now, this course has a Day 6 CTF book, and in the back of this book is a very rough index. Sadly, I didn’t really like the index, but I also didn’t want to leave a trove of information on the table, so to speak, so I spent a few days transposing that index into my own index spreadsheet. Once done, I then started with Book 1 and began augmenting that given index with my own index items, as well as the definitions and concepts I wanted for each term. I did this for all of the daily books (except the CTF one) and the Workbook.
The way I make my index is to just have three columns: term, notes, page (1-101 format). I don’t shy away from expanding the size of a row if I need lots of text (word wrap). I separate each book into its own sheet, and I copy/paste those sheets into a master sheet which I then order alphabetically. The workbook is referenced as w-101. If I add something from another source, like a practice exam answer explanation, I’ll just mark it as x. I’ll then later get it printed and bound at Kinkos. This time around, it took $19 to print and was pretty thick…
I took particular time this go around to make note of any commands and screenshots of tools. This way, if on the exam I am looking at a tool output or some command, I have a shot at finding a comparable bit of output in the materials for comparison. Often, I would put the command verbatim into my description for that line, as nothing but sqlmap were really long.
The goal of an open book exam is to be able to efficiently and correctly answer questions by using those materials, and to do that, you have to manage your seek time. And that seek time plus tolerance for recollection or finding exact answers is going to differ from person to person. For me, I like enough context on each line of my index that I can tell where I should look for something about XSS types when I have 15 individual references to “XSS.” I don’t expect to always find answers just in my index, but I do give myself a shot at doing so. Ultimately, however, I expect to get into the books and find the “for sure” answer quickly. I do this with my index, but also sometimes with tabs along the tops of the books for key pages, tools, and topics.
In retrospect, I’m not really sure how useful the provided index ended up being, as I trust my own index was probably going to cover the bases. Honestly, the given index had some mistakes and included some weird terms from some weird places that added nothing. In the end, it maybe just resulted in a larger index than the FOR508 index I mast last year (and I think that material more warranted a larger index).
One note about the SEC542 material that I noticed. Way too often for my tastes, the authors didn’t actually define terms. Instead, they would describe them anecdotally, and maybe list some uses for that term to be gone over in more depth in later pages. This made defining terms very strange, and it added extra references for terms. For instance, Stored XSS is mentioned well before it is actually dealt with, but I had to keep both references. (I suppose you don’t have to, but *I* had to, if you know what I mean.) I also challenge you to find a succinct definition of XSS somewhere. I think I would have appreciated a bit more structure in that regard, but the material is effective either way. On the flip side, I like the “attacker perspective” that closed out various attack topics.
The rest of the preparation. Once I had my index finished, I tabbed the tops of the book pages. This makes for easy flipping to sections when I know generally or exactly where a topic is in the materials, letting me skip the index completely sometimes. This was more useful in the FOR508 exam which has more repeated reliance on tables and charts, but I did find myself using these on the exam as well. For example, a digest authentication question is going to be in the….drum roll….digest authentication section! There’s really no hunting around needed in that case.
Before sending off my index to be printed, I first took my first practice exam. I used the books and electronic spreadsheet (without using the search features) during this practice exam, and also did not use Google or other references. During the practice exam, I specifically turn on the ability to see explanations of all answers, rather than just the ones I miss (sometimes I may guess and get it right, but not be sure why!). If something is missing from my index, I’ll write down the topic or term quick. In the end, I scored 90% on the first practice with about 10 minutes to spare.
After that, I intended to do an actual read through of the material as well as listen to the mp3 audio of the course (given by the other author!). I only did about day 1 on both of those and decided to forgo those steps in my process. I took the second practice exam just like the first one, and scored 90%. After that, I sent my index off to be printed. Until exam day (about a 2 week gap), my only studying was just occasionally opening the books to flip through the topics and keep the layout and topics somewhat fresh in mind
Alternate material. Now, not everyone can afford SANS courses, but the information in SEC542 can actually be very easily gotten from other sources.
For practical lab-like experience, work on things like DVWA, Mutillidae (both of these were heavily used in the course labs), and OWASP Juice Shop. In addition, every attack can be found somewhere in the HTB boxes (ask someone who’s popped most of the boxes if they can guide you to good candidates, or browse IppSec’s YouTube videos and sample each one for web app opportunities). If you’re lucky enough to have access, the PWK labs also have plenty of web app practice available. Between all of those items, you should be exposed to every attack in this course and beyond.
On the tools, it really absolutely helps to have some Burp exposure and some Python exposure. I actually really recommend courses on PluralSight for both topics. There is a course or two by Sunny Wear going over how to use Burp that is just awesome. And there are a few beginner Python courses as well that helped me quite a bit to get started. (If you do pick up a sub to PluralSight, it also has decent courses on many of these web attacks, too, by Dawid Czagan and Troy Hunt.)
Everything I know about ZAP came from this material, and I suspect just a 20-minute video on ZAP examples would cover it well enough. I just don’t have any particular ones to list here. Of all the topics, I’d have to say web fuzzing is the hardest topic to pick up on one’s own.
For other tools, exposure in the course is light, so just using sqlmap or nikto or recon-ng or nmap or wpscan or beef somewhere on some target is probably good enough to understand it enough. For Python, focus on understanding the basics of Python and then also the requests library.
For attacks, just go through the syllabus and the OWASP 2017 Top 10 web flaws. This course pretty much sticks to that list. Do know how to find and perform Shellshock and Heartbleed attacks, though. (HTB has those boxes!)
Otherwise, just go through the course syllabus and the exam topics item by item until you feel comfortable talking about them and their differences
One thing the course doesn’t go over much at all is source code analysis, but pretty much everything in the labs is open source (umm, you control the VM!), so an enterprising student could look at the flawed code on their own. This is probably a step I need to incorporate as I look at further practice.
After all of that, honestly, you don’t need the course anymore! (But let’s face it, the extra advice from the instructor, the full coverage on the topics, and meeting other professionals in person adds to the course value.)
My next steps. After GWAPT, my next steps on the web application attacking front is to gain more casual experience through practice via self-study on DVWA, Mutillidea, OWASP Juice Shop, and others. I want to particularly make a point to use various tools for the attacks, rather than sticking to just one. And I also want to make sure I can do things manually or with Python scripts when appropriate, and review source code whenever I can for practice identifying flaws (and maybe fixing them?). I have a sub to Pentester Academy which also has extensive web hacking tracks
Will I take SEC642? What about AWAE from Offfensive Security? Maybe, but SANS will entirely depend on whether my employer wants to support me in that next step, and I may be able to swing AWAE on my own if I can carve out that time.
Will I get to any of these this year? I do have other goals and things for this year, but the continued self-study is one I want to stick to. I don’t today do web assessments for internal sites at work, but that opportunity may be right around the corner, and I intend to be part of that.