# eWPTv2

<div align="left"><figure><img src="https://1357648772-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FesKkkNq5JVqzRLKWf4Ug%2Fuploads%2FrLKvpiD91gPpZZPmir4N%2Fimage.png?alt=media&#x26;token=d45c4130-9d05-47b0-9ec8-eed0b2f5feef" alt="" width="140"><figcaption><p><a href="https://ine.com/learning/certifications/external/elearnsecurity-web-application-penetration-tester">https://ine.com/learning/certifications/external/elearnsecurity-web-application-penetration-tester</a></p></figcaption></figure></div>

**INE Security’s eWPT is for professional-level Penetration testers that validates that the individual has the knowledge, skills, and abilities required to fulfill a role as a web application penetration tester.**

This certification exam covers **Web Application Penetration Testing Processes and Methodologies**, Web Application Analysis and Inspection, and much more. See the Exam Objectives below for a full description.

This exam is designed to be a milestone certification for someone with foundational experience in **web application penetration testing**, simulating the skills utilized during a real-world engagement. This exam truly shows that the candidate has what it takes to be part of a high-performing penetration testing team.

## Course duration & Topics ⏳📚 <a href="#course-duration-and-topics" id="course-duration-and-topics"></a>

\~ 106 hours (**10** courses , **175** videos, **126** quizzes, **58** labs)

* [**Introduction to Web App Security Testing (WAPT)**](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security) \~ 11 hours
* [**Web Fingerprinting and Enumeration (Information Gathering)**](https://dev-angelist.gitbook.io/ewptv2-notes/readme/network-security) \~ 10 hours
* [**Web Proxies**](https://dev-angelist.gitbook.io/ewptv2-notes/readme/powershell-for-pt) \~ 12 hours
* [**Cross-Site Scripting (XSS)**](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-1) \~ 9 hours
* [**SQL Injection (SQLi)** ](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-2)\~ 17 hours
* [**Common Attacks**](https://dev-angelist.gitbook.io/ewptv2-notes/readme/5.5-other-common-web-attacks) \~ 12 hours
* [**File & Resource Attacks**](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-3) **& Web Service Security Testing** \~ 11 hours + 5 hours
* [**CMS Pentesting** ](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-4)\~ 9 hours
* [**Encoding, Filtering & Evasion**](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-5) \~ 8 hours

🛣️ [**RoadMap / Exam Preparation**](https://dev-angelist.gitbook.io/ewptv2-notes/roadmap-exam-preparation) 🧑🏻‍🏫

## E-Links 🔗📔 <a href="#useful-links" id="useful-links"></a>

* Where to find the Web Application Penetration Tester course? - [INE Learning Paths](https://my.ine.com/CyberSecurity/learning-paths/8c322180-1499-40c7-af8f-a877554fca3d/web-application-penetration-testing-professional-ewptv2)​
* Where to find the eWPTv2 certification exam? - [eWPT](https://security.ine.com/certifications/ewpt-certification/)​

## Training and Labs

{% embed url="<https://owasp.org/www-project-mutillidae-ii/>" %}

* [How to install Xampp and Mutillidae II ](https://subscription.packtpub.com/book/security/9781788624039/1/ch01lvl1sec04/installing-mutillidae-on-linux)
* [PortSwigger Web Sec Academy](https://app.gitbook.com/s/rRWtuMw6xkkeDjZfkcWC/#portswigger-web-security-academy)
* [DVWA](https://app.gitbook.com/o/s2H3MdEB0Qp2IbE58Gxw/s/l27MAim0y0z73W12Z3gU/)
* [SecureBank](https://app.gitbook.com/s/rRWtuMw6xkkeDjZfkcWC/secure-bank)

## ​[eWPT](https://security.ine.com/certifications/ewpt-certification/) Exam 📄🖊️ <a href="#ejpt-exam" id="ejpt-exam"></a>

* **Exam Type**: Multiple-choice quiz (throught lab environment)&#x20;
* **Time limit**: 10 hours
* **Expiration date**: 3 years
* **Objectives**:

  **Web Application Penetration Testing Processes and Methodologies (10%)**

  * Accurately assess a web application based on methodological, industry-standard best practices
  * Identify vulnerabilities in web applications in accordance with the OWASP Web Security Testing Guide

  **Information Gathering & Reconnaissance** (10%)

  * Extract information from websites using passive reconnaissance & OSINT techniques
  * Extract information about a target organization’s domains, subdomains, and IP addresses
  * Examine Web Server Metafiles for information exposure

  **Web Application Analysis & Inspection** (10%)

  * Identify the type and version of a web server technology running on a given domain
  * Identify the specific technologies or frameworks being used in a web application
  * Analyze the structure of web applications to identify potential attack vectors&#x20;
  * Locate hidden files and directories not accessible through normal browsing&#x20;
  * Identify and exploit vulnerabilities caused by the improper implementation of HTTP methods

  **Web Application Vulnerability Assessment** (15%)

  * Identify and exploit common misconfigurations in web servers
  * Test web applications for default credentials and weak passwords
  * Bypass weak/broken authentication mechanisms
  * Identify information disclosure vulnerabilities

  **Web Application Security Testing** (25%)

  * Identify and exploit directory traversal vulnerabilities for information disclosure
  * Identify and exploit file upload vulnerabilities for remote code execution
  * Identify and exploit Local File Inclusion(LFI) and Remote File Inclusion(RFI) vulnerabilities
  * Identify and exploit Session Management vulnerabilities
  * Exploit vulnerable and outdated web application components
  * Perform bruteforce attacks against login forms
  * Identify and exploit command injection vulnerabilities for remote code execution

  **Manual Exploitation of Common Web Application Vulnerabilities** (20%)

  * Identify and exploit Reflected XSS vulnerabilities
  * Identify and exploit Stored XSS vulnerabilities
  * Identify and exploit SQL Injection vulnerabilities
  * Identify and exploit vulnerabilities in content management systems
  * Extract information and credentials from backend databases

  **Web Service Security Testing** (10%)

  * Identify and enumerate information from web services
  * Exploit vulnerable web services

## Resources 📑📘

### 👉 [RoadMap / Exam Preparation for eWPTv2](https://dev-angelist.gitbook.io/ewptv2-notes/roadmap-exam-preparation) 🛣️

### [👉 eWPTv2 Cheat Sheet 📔](https://dev-angelist.gitbook.io/ewptv2-notes/ewpt-cheat-sheet)

> 📖 [Read the Lab Guidelines ](https://drive.google.com/file/d/1eSnfhypqA67dYyCU5wzquCjF3ymlqjm6/view)<mark style="color:yellow;">📖</mark>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/ewptv2-notes/readme.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.