eWAPTXv2 Certification and Course Review

eWAPTXv2 Certification and Course Review

We are excited to announce that one of our cyber security experts in the team was awarded the eWAPTX certificate by successfully passing the eLearnSecurity Web application Penetration Tester eXtreme training exam this week.

You can find the comments and the experiences about the training from our expert that he had gained during the certification process.


Course Materials

We should note that the training is intended for intermediate and advanced users. Still, essential topics such as working principles of web applications or detailed explanations of web vulnerabilities are not covered. eLearnSecurity Web application Penetration Tester eXtreme Training content, updated in 2022, covers the following topics.


- Encoding and Filtering

This section reviews the encoding methods such as base32/64, HTML encoding, URL encoding, and Unicode in depth. This part of the course is beneficial because it gives deep meaning to the topics you presume you already know. Therefore there are no practical examples in this section. Instead, all this in-depth information here is theoretically explained.


- Evasion Basics

First of all, if you are not familiar with web vulnerabilities and avoidance methods, this part of the course can be challenging. The information learned here will be beneficial, especially in Blackbox pentests. Also, for creating a comprehensive and tidy document on evasion techniques. Congratulations to eLearnSecurity! In this section, the training offers lab environments where you can practice in addition to the theoretical content.   


- Cross-Site Scripting

This topic is indispensable to web vulnerabilities. The basic information about this security vulnerability is not covered in this course. There are advanced levels of examples of triggering XSS vulnerabilities and payloads. In addition, there are enlightening lab scenarios about XSS vulnerability usage options and how to exploit the vulnerability.   


- XSS – Filter Evasion and WAF Bypassing

It is worth mentioning that all the sections about avoidance are valuable and successful. However, this section is focused on adequately configured Web Application Firewall (WAF) devices and bypass techniques for Input validation techniques on the application layer. In addition, you will have the opportunity to try advanced evasion techniques taught through scenarios in XSS labs.



This section, which we found weaker than the other course content, theoretically explains many subjects such as CORS and Session Hijacking. But unfortunately, there is no practical lab.


- SQL Injection

The SQL Injection given in the training is explained for a total of 4 different databases. You can test the vulnerabilities on these databases in the labs created for this vulnerability. Labs are pretty satisfying, and none of the scenarios are easily captured with tools like SQLMap. We will point out that the lab scenario about second order SQL injection vulnerability is fun and informative.


- SQLi – Filter evasion and WAF Bypassing

Hundreds of bypass methods are explained for SQL injection attacks. This section is affluent in terms of labs.


- XML Attacks

This course section offers an excellent summary of the XML standard and its comparison to HTML. It then covers XXE, XEE, and XPath Injection attacks in depth. The attack techniques in the labs are not bad at all.


- Attacking Serialization

If you have not studied deserialization vulnerabilities before, you should devote time to this section until you have enough information about the subject. In this section, you will learn about Java, PHP, and .NET insecure deserialization vulnerabilities, and you will meet with terrific labs about these vulnerabilities.


- Server Side Attacks

Although this section mainly focuses on SSRF and XSLT, many new vulnerabilities are also included. Therefore, to succeed in the exam, you need to focus on this part and comprehend it well.


- Attacking Crypto

Another section that doesn't have much quality content as open source, but eLearnsecurity has done a great job. You can find examples related to the subject in labs.


- Attacking Authentication & SSO

In this section, you can get detailed information about how the Authentication mechanism works. Then, in the labs, you can learn to manipulate the authentication mechanism using different vulnerabilities.


- Pentesting APIs & Cloud Applications

Cloud application security is not usually included in Web application training. However, the eLearnSecurity team did a brilliant job incorporating API and Cloud Applications into this course content, making your experience even better.


- Attacking LDAP-based Implementations

This section is the last part of the course. If you can't understand this part at once, don't get discouraged because you are in a very complex attack scenario.



The course content includes 20 labs in total. In addition, there are multiple scenarios in each lab. Therefore, this opportunity increases the number of practical applications.

Labs are more than enough for you to practice theoretical topics.

To access the labs, you don't have to do anything other than add the VPN connection and DNS server to your network configuration. In addition, the performance of the lab servers is commendable.

Lab scenarios are often not easy. Although we do not recommend that you look at the solution sections of lab scenarios, it can be helpful when situations become inextricable.

In the exam, you will only see the questions about the topics in labs, and no other issues are involved.



It is beneficial to take the exam immediately after completing the courses fully. Otherwise, you will waste time remembering the exact information during the exam, which will stress you out. The exam is entirely Blackbox so you will start the exam with minimal knowledge about the objectives. You join the exam with a remote connection to a lab environment containing vulnerable applications. There is no theoretical question in the exam. All of the questions are practical. You are expected to find any scope and vulnerabilities you can see during the exam and eventually present them in a report. The exam takes seven days in total. During this time, you have access to the lab of the exam. At the end of the seven day, access to the exam questions expires, and a seven-day period starts to prepare the report. You have seven days to find vulnerabilities in the applications and then seven days more to complete your report. However, it would help if you remembered that you would not be able to reaccess the exam environment at the end of the first seven-day period of the exam. That's why you need to record all kinds of materials -such as HTTP traffic, application information, screenshots, and steps of the performed actions- that you can use in the report. You can finalize the exam at any time without waiting for the end of seven days. (Three days was more than enough for us.) Once you upload your report, the result of your exam evaluation will be shared with you within a week. I should also mention that the support line is very relevant and fast for every issue.


In general, the training and lab environments are satisfying. With the updated eLearnSecurity Web Application Penetration Tester eXtreme content and eWAPTXv2 certificate, eLearnSecurity seems to be a preferable training and certification for those who want to become a web application penetration tester.