Skip to main content
  1. Posts/

Burp Suite Certified Practitioner Exam Review

·5 mins
BSCP web
Table of Contents

Introduction
#

To preface this post, I want to briefly describe my level of experience to help others who might take this exam better benchmark how long it might take them to study.

I studied computer science in college and attained a bachelor’s degree and took a few security-related courses and aside from that most of my learning was through CTFs on Hack the Box, TryHackMe and similar platforms. My experience with web application security before trying out the web security academy is basically limited to those things.

I had been working as a penetration tester for about two months when I began studying and had been playing CTFs for about two years.

I also think I took a somewhat overkill approach at studying for the exam and think that most people could get a passing score with a lot less work.

About the Exam
#

In order to pass the BSCP (Burp Suite Certified Practitioner) exam you need to meet a couple requirements - some financial and others relating to completion of course material.

The exam only costs 99 USD for one attempt, but you need a license for Burp Suite Professional which can run you hundreds of dollars if you are paying out of pocket. I am fortunate enough to have my employer give me a license key to use, so that cost was not a factor for me.

The second thing to get to work on to be able to take the exam is completing the labs for a bunch of the topics in PortSwigger’s Web Security Academy. At the time of writing this post, you need to complete 23 apprentice labs, 8 specific practitioner labs, 5 mystery labs, and 1 of the 2 available practice exams. Once you’ve done all these things you can go ahead and take the exam.

When I took the exam it was proctored with a service called Examity that required you to use a Windows host OS in addition to recording your microphone, webcam, and screen. You need to take the exam while saving it to a project file that must be submitted alongside the exam attempt.

The exam itself consists of two web applications with three stages each. The first stage requires you to gain access to a victim account, the second stage requires you to escalate privileges to an administrator account, and the third stage requires you to exfiltrate some data from the underlying host the web application is running on.

These distinct stages mean that you don’t always need to be looking for every possible vulnerability in the exam pool and you can narrow down the search a bit. I made a table based off of the labs that determines which stage you might see the topic in.

burp-table
The darker color in certain areas indicates likelihood, the white spots indicate that you’ll likely never see it in that stage. For example: JWT is listed as primarily stage 1 because most of the time in the labs you use it to escalate privileges, but it isn’t impossible that you’d be assigned a JWT as a guest user that you can perform to compromise an initial user, but you would not typically ever see a JWT used to exfiltrate data.

The exam lasts for four hours and the environment you interact with is nearly identical to the practice exams. I personally think that more mystery labs and practice exams should be required before taking the exam.

How I Studied
#

I studied by making YouTube videos and blog posts for each topic on PortSwigger’s web security academy. I would go through all the labs and take notes, then make a shorter version for the blog where I would try to practice finding those vulnerabilities in CTF challenges or Hack The Box machines. I did that process from October through February to initially learn most of the material.

I then took a month and a half to make a study guide sheet where I went through most of the labs again in each topic and modified the payloads to fit an exam context. In some cases, instead of triggering an alert() you might want to send a cookie to your collaborator - that kind of thing.

Once I got that done, I wanted to make sure that I wouldn’t have issues identifying vulnerabilities on the exam so I decided to grind out a bunch of the mystery labs. I would typically time myself and try to complete every lab in less than 15 minutes, which helped me find out which plugins I liked to use and get familiar with the Burp scanner and target tools.

The morning of the exam I brushed up on the types of mystery labs that gave me trouble and probably completed around 15-25 mystery labs that day before deciding to start my exam. I took the exam on the night of March 30th and passed in a little over an hour and twenty minutes. I experienced no technical difficulties but did experience a slight delay with getting my certification verified because I took the exam on a holiday weekend.

burpcertimage

Other Tips
#

Aside from following what I did, there are some useful study resources I found to be very helpful:

I used the following Tools/Extensions to make my life easier on the exam:

Related

Prototype Pollution - Applied Review
·25 mins
web BSCP
What is Prototype Pollution? # This type of vulnerability allows attackers to add arbitrary properties to global object prototypes that can be inherited by user-defined objects.
JWT Attacks - Applied Review
·19 mins
web BSCP
What is a JWT? # JSON web tokens (JWTs) are a standardized way to send some kind of cryptographically signed JSON data between systems.
HTTP Host Header Attacks - Applied Review
·11 mins
web BSCP
What is the HTTP Host Header? # HTTP host headers are mandatory request headers that specify the domain name the client is trying to access.