Sans 542 and GWAPT Review

I recently finished the OnDemand version of the SANS 542 Web App Penetration Testing and Ethical Hacking course and passed the GIAC Web Application Penetration Tester (GWAPT) exam so I thought I would post a few quick thoughts on the course and exam.

It’s more than a little redundant to say a SANS instructor did a great job but Kevin Johnson rocked. I was slightly biased coming in as I talked to him for about 90 seconds last year in Vegas and he was really friendly but even setting that massive amount of personal experience aside Kevin is both incredibly entertaining and a great teacher. I really want to take a class from him in person so I need to keep my eyes peeled for any 642 offerings out west.

Mr. Johnson is very upfront about what the class is and isn’t. While there is a full day devoted to exploitation the class is not a collection of “Here’s exploit A, now here’s exploit B…” but rather an overall look at web app pen testing methodology and best practices as a whole.

What this class won’t give you:  “If they’re using WordPress version 3.2 I’ll use exploit X but if they’ve upgraded to 3.3 I’ll use exploit Y”

What this class will give you: The ability to properly examine a website, determine the underlying technologies, give you an understanding of possible attack vectors based on your earlier findings and expose you to the tools to help you locate these vulnerabilities and attempt to exploit them.

It really boils down to the old give a man a fish vs. teach a man to fish thing and I’m extremely happy this class takes the approach they do. The SANS website course breakdown is accurate so there’s no need for me to give a play by play on what was covered but you will learn concepts to test both specific types of technologies (AJAX, Flash, Javascript etc.) and technology independent design and logic flaws. The course also covers using Python scripts to help automate your testing.

I had played with a lot of these tools and been exposed to a lot of the concepts from earlier courses and practice but the 542 did a great job of providing a systematic approach and a barrel full of real world stories which tie concepts taught in class to practical applications. As penetration testing is a hobby rather than a daily job for me I greatly enjoyed and appreciated these.

Regarding the test, it’s short and I loved it! The test is 75 questions long and you have two hours to complete it. I finished with 30 minutes left and got a score in the low 90s so it’s very doable.

My GWAPT index was quite a bit shorter (7-8 pages) than a lot of my previous indexes but it honestly wasn’t a matter of laziness as much as it was the material didn’t seem to lend itself to a fat index as well as other courses have. During the test I never looked for a topic in my index and came up empty so mission accomplished.

There were definitely questions on the exam which required me to understand multiple concepts rather than just reference a particular page. I’m perfectly ok with that if the tradeoff is a two hour enjoyable test instead of a five hour exam that has me questioning my life choices towards the end. I hope more classes go to the shorter exam format.

In summary I enjoyed the course, learned a lot, passed the test and had a good time doing it all.

17 thoughts on “Sans 542 and GWAPT Review

  1. Congratulations! May I know the proportion of practical or hands-on questions? Are there any questions on the defense or prevention of attack? Thanks.

    • Thank you William.

      Without getting too specific in addition to normal prep like having an index, book tabs, understanding of main concepts (same origin etc.) you should be able to look at js or python code and be able to understand what is going on and spot possible issues.

      I don’t remember a ton of defensive content in the book but I’m sure mitigation of different attacks was touched on. It’s definitely an offensive course rather then a secure coding course though.

  2. Is the format of the exam similar to the practice tests? Is the exam more difficult than the practice tests? Thanks for your advice.

  3. Same difficulty level and content type. I scored higher on the real exam than I did the practice exams but I suspect that was largely a focus issue 🙂

  4. Thanks for your review! I just took the on site 542 class with Kevin Johnson and I definitely recommend him. He keeps the sessions lively and he knows a lot. I have a question about the GWAPT exam: in the 542 course you go through a lot of tools. Does the exam cover specific tools? Ex: skip fish, burp suite, nessus etc.


    • One of (if not the) most important part of any index (including GWAPT) is to have a tool index of every tool mentioned in the book. Even if it’s just one bullet point down in the bottom part of a page.

      If you have a good tool section in your index the tool questions will all be quick freebies.

  5. Hi
    Can you share your index? i’ve made one but i think it’s not very efficient…
    thomaslesud at

    Merci 😉

    • I struggled with an index on this one too (mine was way tiny), it’s not just you. The material just didn’t seem to lend itself to an index as much as some other exams. If you have the concepts you’ll likely do great.

  6. sucks that Kevin resigned from SANS… I took the course sec542 in Denver but I enjoyed it! Now to schedule the exam…

    • My buddy was at that Denver class and told me that he’s been to comedy clubs where he never laughed that hard.

      Kevin is and always will be one of my favorite instructors. I got one of his recent 2 hour “mini trainings” a few months ago and loved it.

      Good luck on the 542!!! It’s a quick one so it doesn’t have the mental fatigue of a GSEC or CISSP length test.

  7. Matt,

    Thank you for posting your thoughts on this course. I am thinking about taking it as a way to learn burp and nessus. Would you say that this course will help learn those tools for the purpose of testing web applications?



    • Burp was covered quite well but I don’t remember a ton on Nessus. It’s been a while since I took it though so things may have changed a bit since then.

      I enjoyed this class since it wasn’t “point these tools at the site and push go” they really went through the minutia of checking things like program flow that those who pen test web apps for a living say is key.

  8. Hi Matt,

    Thanks for your valuable suggestions, Could you please let me know about the practice test, does the questions in exam is similar to those of practice test.

    Also, will studying 5 GWAPT books be enough to pass the exam?

    you mentioned that, person needs to look at javascript and python code, So is it about doing source code review? What if someone doesn’t know about those languages? How much knowledge of those languages are required?


    Best Regards

    • Kabir —

      It’s been almost two years since I took the test but at that time yes the practice exams were inline with the material on the exam. You absolutely do not need to be a professional programer but you should be able to look at basic Javascript and Python code and understand what it’s trying to accomplish, what are the variables etc.

      Good luck!!!


Leave a Reply

Your email address will not be published. Required fields are marked *