I passed the Burp Suite Certified Practitioner (BSCP) exam in my third attempt and compiled the insights from my attempts into this guide. Now you can learn from my mistakes! This will help you to pass the exam and get certified.
What’s BSCP?
BSCP is a certification offered by PortSwigger that proves your knowledge in web security testing and Burp Suite skills. In order to get certified, you have to pass a practical exam. PortSwigger describes it like this:
“You will have four hours to complete the Burp Suite Certified Practitioner exam. There are two applications, and each application contains deliberate vulnerabilities.”
— https://portswigger.net/web-security/certification/how-it-works
Preparation
“How to Prepare” Site
A perfect place to start is the How to Prepare site of the Web Security Academy. It contains a list of labs you should have solved before trying the exam. Furthermore, it states you should have solved five mystery labs and take the practice exam. We are going to discuss both of these topics below.
Dashboard of exam preparation steps
For a broader approach on the topics of web application security, I can also recommend the Web Security Academy’s Learning Path. There are 25 topics to cover, ranging from basic SQL injections up to the infamous HTTP request smuggling. All of these topics contain great learning material accompanied with practical labs. This is an insane collection of web application pentest resources and best of all: it’s free. Even if you do not want to get certified, you should definitely take a look.
Excerpt of the Web Security Academy’s Learning Path
Solving labs definitely is the foundation of passing the exam. Not only will this teach you how to exploit various web application vulnerabilities, but it will also familiarize you with the lab and exam environment, including the built-in exploit server.
Cheat Sheets
On your journey through the contents of the Web Security Academy, create your own cheat sheets. Although there are tons of cheat sheets on the Internet, creating your own collection is extremely valuable. It helps you to summarize and internalize what you have learned in the appropriate level of detail. Public cheat sheets usually are for a broad audience and contain too much information to be helpful in a limited amount of time. I have organized my cheat sheets in Markdown files, one for each topic.
Exploits
While you are working through the labs, you will create numerous exploits. Write those down as well. The exam requires you not only to find vulnerabilities but also exploit them. You do not want to waste your exam time on researching ways to exploit a cross-site scripting vulnerability in order to extract a session cookie.
Mystery Labs
Mystery labs are a way to solve the ordinary labs from Web Security Academy without knowing the objective of the lab.
This helps to improve your general approach during the exam.
However, some of the objectives are hard to guess or don’t make sense in an exam context, e.g. popping an alert(1) box.
If you get stuck, reveal the objective and make improvements to your recon phase that would have helped you to figure it out.
Mystery Lab Challenge
I documented my approach, thoughts and procedure while solving five mystery labs to give you an insight into my preparation. You can find it under the hashtag #MysteryLabChallenge on Mastodon and Twitter.
Practice Exam
PortSwigger provides a practice exam. Instead of two, there is just one application to solve. You can take the practice exam as often as you like and should solve it before taking the real exam. Note the steps that take you a long time and try to improve them to get faster. In my preparation, I failed the practice exam several times. Don‘t get discouraged when you fail, but learn from your mistakes.
Take the Exam
This section gives you advice how to successfully take the exam.
Block time
This should be obvious. Block yourself five hours of time in which you are undisturbed. Put your daily distractions aside. You want to concentrate. The exam time itself is four hours. But starting the exam takes a while, especially when you are in your first trial and don‘t know what you have to expect.
Examity
Before taking the exam, you have to go through the verification process of Examity. I won’t go into its details here. Just note that you are not proctored during the entire exam, as I first thought I would. You have to identify yourself and then insert a password that will start your exam environment. Afterwards, screen and web cam recording are not required anymore. Note that the exam timer will only start running as soon as you open one of the exam‘s application.
The verification process requires you to use Windows, MacOS or ChromeOS and the Chrome browser. But you do not have to take the exam in that environment.
You can - and probably should - use a different browser for the exam than for the Examity session. This keeps your Burp history clear. Just log into your PortSwigger account and go to the exam page - or copy & paste the URLs to your exam applications.
Burp Settings
Use the settings and extensions you were comfortable with during the labs. However, definitely ensure that you are using the official Burp Collaborator URL. Other URLs will not be accessible from the labs. Especially for seasoned pentesters, this can be a pitfall as they might have a private collaborator service as default setting.
I recommend to create a specific project options file for the exam, which you can load when starting Burp Suite. Also ensure to create a project file and save it for at least seven days because PortSwigger might ask to see it.
The Embedded Browser
Burp Suite has an embedded Chromium browser that is optimized to work with it. Apart from that, the victim is using Chromium as well. In order to create exploits you should use the same browser. This enables you to test them beforehand and reduce unnecessary errors.
Exam Rules
Carefully read what the exam involves and the official exam hints by PortSwigger. I always like to summarize such rules into a few notes to have them in memory.
Some of the main takeaways are:
- There is always an administrator account with the username
administrator, plus a lower-privileged account fromuserlist.txt, usually calledcarlos. - Download the current version of the username and password list for brute force attacks.
- Exploit SSRF vulnerabilities by accessing an internal-only service, running on
localhost:6566. - Ignore the
_laband_lab_analyticscookies. - You never need to guess folders, filenames or parameter names.
Exam Stages
PortSwigger states that there are always three stages in each application.
- Access any user account
- Elevate your privileges to access
/admin - Access
/home/carlos/secretand submit the content
These are expected to be completed in order.
Have this in mind when planning your attacks and focus on your current objective.
For example, there is no point trying to access /admin as long as you don’t have access to a user account.
Obviously, I don’t know all the scenarios PortSwigger created for their exam. However, it seems likely to me that stage 3 always is a server-side attack as the goal is to read the contents of a file. Stages 1 and 2 might contain client-side attacks against active users as well.
Reduce Attack Vectors
PortSwigger states that there is up to one active user in each application. This means that as soon as you have exploited a client-side vulnerability, you can focus on server-side vulnerabilities only. This will greatly reduce the possible attack vectors. Say, you used XSS to access a user account. For stages two and three, you can now cross out CSRF, Clickjacking, further XSS attacks and more.
Reduce Attack Surface
As the stages have to be completed in order, the parts of the web application you unlocked by solving a stage are most probably the ones you have to attack next. Focus your tests on these new features. In stage 2, this is the profile page. In stage 3, it’s the admin panel. However, also keep your eyes open for differences in previously accessible features.
The Aftermath
Hopefully, you managed to solve both applications and now are a Burp Suite Certified Practitioner. If not, it is time to review what went wrong and to improve.
If you found you took too much time for a specific vulnerability, add notes and exploits to your cheat sheets. Also, always write down the solutions to the stages you solved. I had recurring vulnerabilities in my three attempts. Knowing a solution will give you a lot of spare time during your next attempt.
Good luck and have a great day.