TCM Security PWPA
I bought a voucher for the PWPA a couple of months ago and have been practicing on their docker lab for a while now. Last weekend, I decided that I would go ahead and give the test a try. I had a retest so failing the first attempt would not be the worst thing. It would at least give me some practice and insight. This is the same approach that I took with the CompTIA exams and it worked for me then.
Before I started the test, I was nervous. Last December, I took the Hack the Box CBBH and completely bombed it. I got three out of six goals completed and was taking shots in the dark for most of the time. I even took off work to give myself more time with the exam. I spent over 10 hours a day for seven days, just throwing anything I could think of at it. I didn't even attempt to write the report. I hindsight, I should have so that I could get some feedback. I took the test a two weeks before Christmas and some how when the email saying that I failed came in I missed it. With the Hack the Box exam, you only have two weeks after the failure notification to start the exam again. I feel like I checked my email ten times a day until after the new year and still did not see the notification. So going into the PWPA, I was not overly confident.
I am still waiting to get the test results back, but I feel like I did great on it. I started of flailing around like I did on the CBBH, but then I took a step back and began just using the app instead of trying to break it. I went through all of the functionality and tried to hit every endpoint. Afterwards, I looked back at the HTTP history in Burp Suite and began to pick out requests that looked promising. I sent all of them to the Organizer tab to save for later and then went through them one by one sending them to Repeater. If I found something interesting in Repeater but couldn't exploit it, I would send it to Intruder.
This worked fantastic for me. I had a focused and organized work flow that allowed me to group requests together and search for specific types of vulnerabilities on each of them. I doubt that I found all of the exploits, but I found enough to pass the exam. I quickly went to work on the report and had what I felt like was a good report ready before the end of the second day. The exam gives you four days, two for testing and two for the report, but I finished it in two days, one for testing and one for reporting. I am currently waiting to get my results back, but will post an update to this page when I do. The waiting to see if I passed or failed is one of the hardest parts for me. I know it might take a couple of days, but I can't help from checking my email over and over again, even though I have notifications turned on.
Hopefully, someone reads this and doesn't feel so lost trying to break into cyber security. It is a big ocean and it is easy to feel like you are lost at sea, just drifting around. I have not achieved my goals yet, but I am dedicated and unwilling to accept anything other than success, no matter how many failures it is built upon.
It has taken me long than I hoped to finish this post, but I aced (I think) the PWPA exam. I received the email congratulating me for passing just two weekdays after taking the exam. If anyone else is think of buying this exam, I would recommend it. It was not an overly difficult exam, but it helps to solidify your understanding of basic web vulnerabilities.