Thank you Daniel for sharing these great tips. This certification is on my bucket list and I am trying to get as much info as I can before my first attempt. PS. The music is too loud and distracting in this video.
This is so great explanation, i was in some of my failed attempts wonder how can i again sending exploit to active "user". Thanks for taking the time sharing and explaining your journey, I am still on my journey \o/
Did each of your exam attempts have different questions from previous attempts? if not, how close or far did they feel from the previous exam attempts?
Hey thanks for the video. my question is this: did you exploit each vuln intuitively or did you sort of “map” the vulns of the exam to the lab scenarios?
Hi Nico, The majority of the vulns were correlated to the labs. That said, just doing the labs would not be sufficient. This is where the intuitiveness comes in. For example, you will need to understand the labs in detail, things like 'why am i using this payload instead of similar payloads?' and 'What can I change to the example payload based on different environment?' Learn the labs, use the examples from the labs, then determine how and when to manipulate the payloads when different scenarios arise Hope that makes sense and hope it helps 🙂
Gosh this sounds discouraging. What was your experience level when taking this certification? I'm going through the labs and they are challenging for me. Test must be very difficult.
Honestly, pen testing isn't my focal skill set. Im technically minded but I had to re-learn JS, understand terminology, etc. I, too, found the labs quite difficult to get my head round initially, mainly due to the sheer number of them to master Test was difficult, though I'm sure your initial experience and understanding exceeds mine - you got this, John!
Hello. Based on the FAQ portswigger.net/web-security/certification/frequently-asked-questions You can use extensions and other tools as it's an open book, not sure if you need to go outside of Burp though
I think these days, the right mentality will land you a job opportunity. Developing your professional traits by learning this stuff is good evidence of that - good luck
Hey cool video. Out of curiosity, how did you deal with labs you could not solve? I did my first attempt cleared 1st lab, but on 2nd I could not get foothold. Not sure how I can deal with it if i get same lab again.. and i am wondering given you did a few attempts how did you figure out unsolved labs for later on
Hi @Mario, It's a good question. It was quite demoralizing when I got a repeat of the lab, especially the later ones. Generally speaking, the initial labs were easier to resolve. I would know that I'd located the vulnerability, I just needed to work out how to exploit it. So, after a failed exam, I would research the vulnerability outside the realms of the labs (because I was missing something) For example, if I knew that XSS was a known vuln, I would need to know how to exploit it. I would then research other blogs/websites outside the realms of Burp (because I knew what was being offered by Burp and their respective labs). I would spend some time and have 3-6 additional ideas that I could try IF the labs came up again, which they did. I would know if a payload showed positive results, I would know how to elaborate on the payloads if needed. The session hijack for example with XSS was an 'ah ha' moment during the exam. I knew what to look out for, and I knew the labs, though I didn't know how to actually extract the session or use different payloads, or what I should modify during the allotted time. I would build up a collection of payloads also that I could use or attempt to use, and have a gameplan if the labs come up again Hope that helps 🙂
![Burp Suite Certified Professional (BSCP) Review + Tips/Tricks [Portswigger]](http://i.ytimg.com/vi/L-3jJTGLAhc/mqdefault.jpg)
music too loud
Thank you very much for sharing your experience. It really helps to know the struggle is real.
Thank you Daniel for sharing these great tips. This certification is on my bucket list and I am trying to get as much info as I can before my first attempt.
PS. The music is too loud and distracting in this video.
This is so great explanation, i was in some of my failed attempts wonder how can i again sending exploit to active "user". Thanks for taking the time sharing and explaining your journey, I am still on my journey \o/
also would it be the case that there is a web cache poisoning if a response doesn't have an X-cache header? or would they make it clear ?
Can you share payload file?
wow you turned it into a $1K certificate.. thx for the honesty
Hahaha, that's one way looking at it 🤣
Wait..So you have to pay 100 dollars for each attempt?
is there a way to know the solutions of the exams you fail? also did you practice on any platforms other than Portswigger?
Did each of your exam attempts have different questions from previous attempts? if not, how close or far did they feel from the previous exam attempts?
They did initially, though after the 5th attempt, I got the same traversal question, which I still don't know how to resolve it even today
Congratulations ❤
Hey thanks for the video.
my question is this: did you exploit each vuln intuitively or did you sort of “map” the vulns of the exam to the lab scenarios?
Hi Nico,
The majority of the vulns were correlated to the labs. That said, just doing the labs would not be sufficient. This is where the intuitiveness comes in. For example, you will need to understand the labs in detail, things like
'why am i using this payload instead of similar payloads?'
and
'What can I change to the example payload based on different environment?'
Learn the labs, use the examples from the labs, then determine how and when to manipulate the payloads when different scenarios arise
Hope that makes sense and hope it helps 🙂
Gosh this sounds discouraging. What was your experience level when taking this certification? I'm going through the labs and they are challenging for me. Test must be very difficult.
Honestly, pen testing isn't my focal skill set. Im technically minded but I had to re-learn JS, understand terminology, etc. I, too, found the labs quite difficult to get my head round initially, mainly due to the sheer number of them to master
Test was difficult, though I'm sure your initial experience and understanding exceeds mine - you got this, John!
@@danielredfern9827 Thanks Daniel. Id say im in a similar boat. I appreciate the words of encouragement.
hello. can I use burp scanner and all features burp pro on exam?
Hello. Based on the FAQ portswigger.net/web-security/certification/frequently-asked-questions
You can use extensions and other tools as it's an open book, not sure if you need to go outside of Burp though
Hi. Is it necessary to understand Javascript/construct code on the go to pass this exam?
Hey, yes, most certainly. I would prepare example code, then learn how to modify them based on the scenario
can i go with the exam with free trial burp professional ?
@@user-oy8hr8ln2h yep!
is the certification enough to land me a job?
I think these days, the right mentality will land you a job opportunity. Developing your professional traits by learning this stuff is good evidence of that - good luck
Hey cool video. Out of curiosity, how did you deal with labs you could not solve? I did my first attempt cleared 1st lab, but on 2nd I could not get foothold. Not sure how I can deal with it if i get same lab again.. and i am wondering given you did a few attempts how did you figure out unsolved labs for later on
Hi @Mario,
It's a good question. It was quite demoralizing when I got a repeat of the lab, especially the later ones.
Generally speaking, the initial labs were easier to resolve. I would know that I'd located the vulnerability, I just needed to work out how to exploit it. So, after a failed exam, I would research the vulnerability outside the realms of the labs (because I was missing something)
For example, if I knew that XSS was a known vuln, I would need to know how to exploit it. I would then research other blogs/websites outside the realms of Burp (because I knew what was being offered by Burp and their respective labs).
I would spend some time and have 3-6 additional ideas that I could try IF the labs came up again, which they did. I would know if a payload showed positive results, I would know how to elaborate on the payloads if needed. The session hijack for example with XSS was an 'ah ha' moment during the exam. I knew what to look out for, and I knew the labs, though I didn't know how to actually extract the session or use different payloads, or what I should modify during the allotted time.
I would build up a collection of payloads also that I could use or attempt to use, and have a gameplan if the labs come up again
Hope that helps 🙂
music too bad,unable to hear voice
use cc if you're having issues
bro the music is too much
the background music is way to loud