Burp Suite Certified Practitioner: Exam Review and Tips

Introduction

I recently passed the Burp Suite Certified Practitioner exam. It took me about 8 weeks of preparation, and I passed on my second attempt. This post will be about how I prepared, my experience with the exam, and some general tips for anyone that is curious about the BSCP and PortSwigger Academy.

Training

I decided to go for the BSCP because I wasn’t very confident about my web pentesting skills. I didn’t get into web applications until recently, as I always was more interested in exploit development, network pentesting, and programming things in C or C#. Nonetheless, I had some basic knowledge about web vulnerabilities from doing OSCP and HackTheBox academy modules, and I had some experience in using Burp to solve CTFs and HTB boxes. This was enough knowledge for me to be able to know what I didn’t know about web pentesting, so my plan was to work through all of the PortSwigger academy modules, starting from the first topic and doing all of the labs along the way. The initial phase of going through PortSwigger academy took me about 4 weeks, where I averaged around 15 hours per week of studying. Some of the topics that I had solid experience with, like basic SSTI and SQLi attacks, were easy to get through quickly. Other topics that I was unfamiliar with, like HTTP request smuggling, prototype pollution, and web cache deception, took a lot longer to fully understand and work through the associated labs. The PortSwigger academy modules contain everything you need to pass the BSCP exam. However, the modules aren’t as in-depth as other cybersecurity training you may be used to, and the didactic style they use will require you to do some more research if you don’t already have a good grasp of the underlying technology. This is where I started to struggle, because while I know how to program, I never bothered to learn JavaScript or web development subjects. If you’re in a similar position, what helped me the most was to sit down, take a few days, and actually learn JavaScript by working through the “Eloquent JavaScript” book. Then I read “The Tangled Web”, which, while some parts are outdated, does an excellent job at teaching the basics of how JS, HTML, and browsers work in a penetration testing context. Especially when it comes to things like DOM-based XSS or CSRF attacks, you have to actually understand what is going on. A good example is when you want an attack to request another page. You’ll need to know the difference between using document.location="http://exploit-server";, fetch("http://exploit-server"); and var a = new XMLHttpRequest(); a.open("GET","http://exploit-server"); a.send();, and in which contexts each one might be useful. Likewise, you’ll also need to know whether you should use <script>, <iframe>, <img> or <form> to deliver your payload to a simulated victim. Once I started to understand these things, working through the labs became much easier. After those 4 weeks, I had done almost every beginner and practitioner lab. The ones I set aside were the ones that required some functionality of Burp Suite Professional. This is where the second phase of training started. I signed up for my 30 day trial of Burp Suite Professional, and spent the next two weeks doing the labs I skipped, getting accustomed to the Pro features, taking the practice exams, and reviewing any topics that I still felt weak on. I would also do a few of the mystery labs each day. You get diminishing returns with these after a while, but they’re very useful for working on solving things quickly.

Attempt 1

With two weeks left on my Pro trial, I decided to go ahead and take the exam. I didn’t feel 100% ready, but my trial license was counting down, and I wanted to either pass and be done, or fail and see what I still needed to work on. The exam itself is exactly like the PortSwigger documentation describes it. The proctoring service wasn’t too intrusive, which I liked. You upload your photo, turn on your webcam, and go. That’s it. You can use multiple displays, and run whatever programs or virtual machines you want. My setup was a Kali VM with Burp Suite Pro on my second screen where I did my work, with the proctoring webapp and my notes open on my main OS on my primary screen. This is much better compared to other exams I’ve taken, where you have to remove all books and electronics, move your camera around the room, and message a proctor every time you want to get out of your chair. I started up the exam, and moved at what I felt was a decent pace, getting through each stage in around 30 to 40 minutes. I wasted a lot of time on stage 5 of 6, which left me with 30 minutes to get the last flag. This is when the stress and the time pressure kicked in, and I kept making mistakes due to trying to rush, and I ended up failing, out of time, with 5/6 flags. Then about 20 minutes after it was all over, with the pressure gone and time to think, I realized exactly what I should have done to get the last flag.

Attempt 2

After failing, I spent a week going back over what I missed, and did another 15 or so mystery labs to try and improve my speed. I also took a break for a few days, but with less than a week left on my Burp Suite Pro trial, it was time to do it again. The constant repetition of the lab exercises and re-reading the material helped, and I was able to pass on my second try after about an hour and 45 minutes.

Tips and Pointers

Here’s a few things that I think would be helpful for anyone thinking about completing PortSwigger academy and the BSCP:

1. You have to be fast. I failed my first attempt due to this, as the four-hour time limit goes by very quickly. You have to have a good grasp of how to identify and exploit things, and have your payloads ready to go.
2. Understand the exam structure. There is “up to one active user”, and the final objective is to read a file on the server, which means that you can narrow down what tactics will be useful on each stage. Take note of the username and password lists, and the port number to use for SSRF attacks.
3. Do lots of mystery labs. The exam didn’t feel any more difficult than the practitioner level labs. You won’t need to do anything very complicated, like obscure WAF bypasses, reviewing source code for hidden exploits, or building an elaborate exploit chain to trigger a vulnerability. The best way I found to develop speed is to continually do the random labs. The training material recommends you do 5 mystery labs, but I would say I did around 40 in total.
4. Get used to Burp Suite Pro. After using Community Edition for so long, the Pro features almost felt like cheating (until I failed my first try). Learn to use active scans, insertion point scans, and know the possibilities that open up with a non-throttled Intruder. This goes along with point 1, where you need to use the Pro features to quickly find the vulnerabilities. Also be aware of what kinds of things the active/passive scans will miss. Certain things like host header attacks and web cache poisoning can be hard to find if you’re relying only on the scan output.
5. If you’re going to use a trial license, wait until you’re done with most of the labs. There’s a lot of content to get through, and you won’t need all of the Pro features at first.

   Conclusion

   After 8 weeks and a passing result, I felt much more confident about my web pentesting skills. I used to hate doing web challenges because manually searching for vulnerabilities was incredibly tedious and boring to me, but using Burp Suite Professional makes the whole process easier and less boring. Going for this certification also forced me to finally learn JavaScript along the way, so that was another benefit. My total cost, using a trial license and taking two attempts, was $198, which I feel is a very reasonable price.