GWAPT Certification Bulletin
(Part 2 of Candidate Handbook)
- Type:
- Certification
- Target:
- Web applications one of the most significant points of vulnerability in organizations today. Most organizations have them (both web applications and the vulnerabilities associated with them). Web app holes have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count. This certification measures and individuals understanding of web application exploits and penetration testing methodology. Check your web applications for holes before the bad guys do.
- Requirements:
- 1 proctored exam - 150 questions - 4-hour time limit - 70.7% (106 of 150 questions) minimum passing score
- Renewal:
- Every 4 years
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
AJAX | The candidate will demonstrate an understanding of what AJAX is and some of its known weaknesses |
Application Flow Charting and Session Analysis | The candidate will demonstrate an understanding of the techniques used to identify the logic flow of a web application. |
Automated Web Application Vulnerability Scanners | The candidate will demonstrate familiarity with automated tools used to find web application vulnerabilities and their distinguishing features. |
Client Authentication | The candidate will be able to identify and discuss the strengths and weaknesses of the major types of client authentication. |
Cross Site Scripting | The candidate will demonstrate an understanding of the types of XSS attacks, how to identify XSS vulnerabilities, and how to perform them |
Flash | The candidate will understand Flash technology and its weaknesses. |
Java Applets | The candidate will understand the fundamentals of Java Applets and how to decompile them. |
Javascript for Pen Testers | The candidate will be able to identify the major components of the Javascript scripting language and what the purpose of each component is |
PHP | The candidate will understand the fundamentals of PHP and it's capabilities as a language |
Probing and Other Mapping | The candidate will demonstrate an understanding of port scanning, OS fingerprinting, Version Scanning , and banner grabbing. |
Python Scripting Basics | The candidate will be familiar the some of the basics of the python scripting language at a high level. |
Recon Using Public Information | The candidate will understand how to conduct reconnaissance using publicly available information. |
Session Tracking and SSL | The candidate will be able to discuss how session tracking is used and how SSL/TLS is used in modern web communications. |
Spidering | The candidate will demonstrate mastery of techniques that can be used to spider a site. |
SQL Injection | The candidate will demonstrate an understanding of how to perform SQL injection attacks and how to identify SQL injection vulnerabilities in applications |
The HTTP Protocol | The candidate will demonstrate an understanding of the how HTTP works |
Understanding the Web | The candidate will demonstrate an understanding of the fundamentals of how web applications work. |
Web App Pen Test Methodology and Reporting | The candidate will be able to identify the typical methods and components of a web application penetration test |
Web Application Vulnerabilities and Manual Verification Techniques | The candidate will be able to test for common web application vulnerabilities using a combination of manual techniques and tools. |
Web Services | The candidate will be familiar with web service technologies and attack vectors. |
XSS Frameworks and Attack Limiting | The candidate will demonstrate familiarity with various XSS attack frameworks. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/grievance.php.
