Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Passed BSCP - Thank you PortSwigger!

Steven | Last updated: Jul 24, 2024 05:19AM UTC

I really enjoyed the BSCP experience. The labs felt challenging, and even though I've had 15+ years of web app testing experience, the exercises put me through my paces. I've never felt as frustrated with a web application vulnerability as when I attempted the practice exams. That's when I knew I really had to dig in and be well prepared for the exam. I passed on my first attempt in 1 hour 52 minutes. Having an index of payloads for each scenario is very useful. When you do labs, pretend it's a real exam. They say the objective is just to pop an alert? Na, go ahead and write a POC to steal the cookie (Just remember if you get a hit on your collab and the cookie is empty, it's because no session is set for the victim. It still worked!) Everything is either a foothold, an escalation, or allows local file read, so treat the labs as such. The time really is not an issue since there are not that many possible vulnerabilities, and it doesn't take that long to exhaust each possibility. Remember that testing is not just about finding the vulnerability. It's also answering "is this thing NOT vulnerable"? Just because I get an x-cache hit/miss on a page doesn't mean it's going to lead to cache poisoning if there is no reflection from a user controlled parameter/header (query string, origin, user agent, etc). You should be confident after testing a function for 10 minutes that it is NOT vulnerable to the thing. Get your payloads for everything prepared beforehand. The labs pretty much cover all possibilities, so you can mirror the lab format in your index. You got this!

Ben, PortSwigger Agent | Last updated: Jul 24, 2024 07:39AM UTC

Hi Steven, Thank you for your kind words - I have passed these on to all involved here at PortSwigger. Glad to hear that you found the whole journey challenging but, ultimately, a rewarding process. And finally, congratulations again on passing the exam!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.