BSCP Review - 2022
Table of Contents
Introduction
In this post, I will review the Burp Suite Certified Practitioner (BSCP), a black box web application vulnerability certification, covering the course and its exam and telling some tips that will be handy.
The certification-exam cost is 89€ which only covers one exam attempt because the course is free. However, it can happen that you will require several attempts to pass the exam. Nonetheless, it is the cheapest certification I encountered.
The course
The PortSwigger Academy is the best course, by far, to learn web security covering 24 different topics that I suggest you tackle following the Learning Path. However, I missed techniques to avoid Web Application Firewalls (WAFs) covered in the eWPT course.
The best thing about the course is that is completely free, so you do not need to pay any monthly subscription to keep learning before taking the exam. However, sometimes I missed a more elaborated explanation about how the vulnerability is discovered (I know sometimes can be made assumptions by the title, but in the exam, you do not have any of those) instead of giving the solution directly. An example would be the lab HTTP request smuggling, obfuscating the TE header.
Moreover, I do not understand why in some labs, the Burp Suite Collaborator is mandatory when you could use the exploit server that performs the same function. A great example would be the lab Blind SQL injection with out-of-band interaction.
To pass the exam, you do not need to complete every lab as said in PortSwigger's guide "How to prepare for your certification", but if you do not know much about web attacks, I encourage you to at least complete every apprentice and practitioner lab. Also, take notes of the solution for each lab because with high certainty that some of the labs will appear on the exam, so you do not have to go to their web page looking for the particular lab. Nonetheless, I have started uploading all the labs categorised by topics (starting by SQLi), so you do not need to create your notes.
Finally, the course will help you to master Burp Suite suggesting the plugins you should install and how to use them, showing you features that came with Burp Suite already installed on Burp Suite and how to use them. also, it provides some nice cheat sheets that you can add to your notes for future audits.
The exam
Parts of the exam
The exam is composed of two web applications, and you need to complete three objectives on each one in a total of 4 hours:
- Get access to the application as a regular user. It doesn't mean you will need to access as wiener or peter. Also, no credentials will be given to you.
- Become administrator.
- Obtain the contents of the file
/home/carlos/secret
.
Tackling the exam
The PortSwigger exam uses the same page you see on every lab, but it will differ in some way, like having a search bar, allowing you to make posts, having an advanced search panel, etc. Hence, during the enumeration face, you need to be a keen observer looking at the features, source code, the responses from the server, etc. looking for the clues that they give you (more of them have been seen on the labs) to spot the vulnerability.
Furthermore, in the user part, you will need to concatenate two or three vulnerabilities, seen in the labs, to become the user of the application. Also, it is worth saying that if you need to perform any kind of brute force attack, use the username and password wordlists provided by Burp Suite.
Then, becoming an administrator is easier than obtaining a user account, and there aren't rabbit holes. However, trying to obtain Carlos' secret file is more difficult because most of the vulnerabilities are not what you think they really are, which can be considered CTF-like.
For that last reason, you might need several tries to pass the exam.
Conclusion
The Burp Suite Certified Practitioner is a great certification if you are interested in performing black box, helping you to improve your web skills and also how to use Burp Suite and its plugins. However, it is not an easy exam that requires staying calm and being very observant for four hours straight, leading you to perform several exam attempts to obtain the certification.
Do not give up and keep trying, until you get it ;)