SecOps Certified Appsec Pentester (CAPen) Exam - A Comprehensive Review

TLDR; 

1. It is a great exam and we recommend pursing it.
2. Read below to get an 80% discount code on this exam. ⏬

Penetration Testing (pentesting) requires a pentester to think creatively and prepare their methodology without blindly following a predefined checklist. As functionalities in a website change based on the industry, target audience, business logic, and the tech stack upon which it is built, it is essential to tweak our techniques and approach accordingly to achieve the best results.

The Certified Appsec Pentester (CAPen) exam from The SecOps Group exactly tests this skill of yours.

Recently, our cyber security engineer, Abhishek, took the exam and passed it with flying colours. Read the entire exam review to help you prepare and set the right expectations.

This practical examination measures a candidate's ability to identify and exploit various vulnerabilities to obtain flags over four hours. Being an independent certification authority, the SecOps Group doesn't provide any training for the exam. Still, it gives you a comprehensive list of topics to focus on and numerous resources to practice before taking the exam. 

In this article, I will cover a detailed exam review and some tips to pass the exam.

Exam Overview

• Exam Cost:  £250 (Grab the same at £50 with the code ‘Harsh-CAPen-80’ - a massive 80% discount on CAPen exam especially for our readers).
• Target Audience: Candidates with an intermediate level of pentesting/bug bounty skills, preferably at least 2 years of professional experience.
• Voucher Validity: Always valid
• Certification Validity: This does not expire. However, the candidate can take the newer version of the exam when it is updated over time.
• Pre-Scheduling: This is not required, as you can start at your convenience. 
• Exam Duration: 4 hours 15 minutes 
• Exam Environment: Stable and Fast. VPN credentials and connection instructions will be provided soon after you purchase the voucher.
• Passing Criteria:  60% or above to Pass // 75% or above to Pass with Merit 
• Retake Policy: One retake is allowed with the existing voucher.

In short, CAPen can be considered an intermediate-level examination where the candidate needs to demonstrate his practical knowledge in application pentesting to pass the exam.

CAPen is also listed in the preferred pathways for Synack’s Synack Red Team criteria. This allows the certificate holder to improve their chances of acceptance into the Synack Red Team by bypassing the initial onboarding process of resume review. Thus, passing this exam significantly improves your chances of joining the elite group of pentesters. 

You can find more about the SRT Preferred pathway criteria here: https://www.synack.com/red-team/pathways/

Exam Syllabus

The Exam syllabus provided on the SecOps Group website is as follows.

Exam Portal Overview

• Start the exam from the SecOps Group Candidate Site, as instructed in the mail you receive after purchasing the voucher. 
• Before starting the exam, ensure you are connected using the VPN provided.
• Wait 5 minutes for the firewall rules to be pushed after you start the exam in the portal. If you cannot access the URLs required for the exam, just restart the VPN again to fix this issue.
• You have about 4 hours and 15 minutes to solve 17 questions with varying difficulty.
• The exam will automatically finish after the provided time, and the VPN connection will be terminated after the exam completion.
• Ensure you generate a fresh VPN profile (.ovpn file) before you take any exam, including retests.

Summary of the Exam

• This exam involves questions about identifying and exploiting specific vulnerabilities to obtain flags that solve the corresponding question.
• Apart from the ones where you must obtain flags, there are numerous True/False and MCQ-based questions to balance the difficulty.
• The difficulty of the questions ranges from easy to intermediate.
• Be familiar with the OWASP Top 10 vulnerabilities, along with identifying and exploiting the same to ace the exam.
• This is an open-book examination based on practical scenarios, and you can use the internet.

During the first hour of the exam, I reviewed all the questions once to understand the possible vulnerabilities and their exploitation. For vulnerabilities that could be exploited via automated tools, I worked on them alongside problems that needed manual pen testing. This way, I could work on multiple vulnerabilities simultaneously, saving time.

By the end of the second hour, I could answer questions that pushed my marks beyond the pass criteria, allowing me to focus on the other questions that I had difficulty exploiting during the initial attempt. Thus, with around 2 hours left for the tough questions, I was able to try multiple techniques, tweak my payloads, and find ways to exploit the same. 

During the entire process, I took detailed notes of the techniques and flags obtained, which helped me verify my answers again. Taking notes will also be helpful if you can’t clear the exam the first time and must retake it later since the same questions will be repeated during the second attempt.

The 4-hour time was enough to complete the exam, and the result will be displayed as soon as we finish it. Your CAPen certificate can be verified using https://secops.group/certificate-validation/ thereby adding authenticity to your hard-earned certification. The SecOps group also provides free mock exams for all their pentesting exams, and attempting the CAPen mock exam before the real one helped me a lot in managing my time and getting initial ideas about the exam pattern. The mock exam can be attempted multiple times.

Resources

Below are a few of the resources that helped me pass the exam so you can also use them.

1. SQL Injection (SQLi)

• https://portswigger.net/web-security/sql-injection
• https://www.stationx.net/sqlmap-cheat-sheet/

2. Cross-Site Request Forgery (CSRF)

• https://portswigger.net/web-security/csrf
• https://portswigger.net/web-security/csrf/lab-no-defenses

3. External XML Entities (XXE)

• https://portswigger.net/web-security/xxe#how-to-find-and-test-for-xxe-vulnerabilities
• https://portswigger.net/web-security/xxe#exploiting-xxe-to-retrieve-files

4. Cloud Misconfigurations 

• https://secops.group/the-anatomy-of-aws-misconfigurations-how-to-stay-safe/
• https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
• http://flaws.cloud/
• http://flaws2.cloud/

5. Broken Access Control 

• https://portswigger.net/web-security/access-control
• https://portswigger.net/web-security/access-control/idor

6. Broken Authentication 

• https://portswigger.net/web-security/authentication
• https://portswigger.net/web-security/authentication/other-mechanisms#resetting-user-passwords

7. Cross-Site Scripting (XSS) 

• https://portswigger.net/web-security/cross-site-scripting
• https://portswigger.net/web-security/cross-site-scripting/contexts
• https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting

8. Insecure File Upload

• https://portswigger.net/web-security/file-upload
• https://book.hacktricks.xyz/pentesting-web/file-upload
• https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

9. Other Resources 

• TLS Security: https://www.acunetix.com/blog/articles/tls-security-what-is-tls-ssl-part-1/
• HTTP Headers: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers 
• Cipher Suites and Protocols: https://kcm.trellix.com/corporate/index?page=content&id=KB91115

Tips and Tricks

• Practising the mock exams thoroughly before appearing for the actual exam will give you a significant head start in the real one.
• Try to work on multiple vulnerabilities simultaneously for questions where you can automate the exploitation to save time.
• Take detailed notes of the techniques you used for each question and the flags obtained, as this will be very useful if you need a second attempt at the exam.
• If you use automated tools, try to learn their usage well, including their different functionalities rather than just the primary usage.
• The syllabus on the website is more than enough to pass the examination, but make sure you have practised well in vulnerable labs to understand different scenarios while exploiting a particular bug.
• Check out exam reviews from people who have already passed the same to get an idea of the techniques they used.

Overall Feedback

The exam challenges are realistic and great for testing your practical skills. If you are an experienced pentester who wants to show proof of validation for your skills or a novice pentester who wants to evaluate your current knowledge in web application security, this exam is the perfect choice.

The affordable price and the free retake make this a good option for anyone who wants to validate his knowledge without spending a hefty amount on training. I feel that the exam-only approach in SecOps group certifications helps a candidate develop his skills above and beyond the usual training plus certifications, thus directly helping him during real-life pentest engagements.

Kudos to The SecOps Group for adopting such a model for their pentesting exams. I highly recommend this exam to anyone who wants to evaluate their skill level in Web Application Security.

We hope that Abhishek's experience and review of the CAPen exam will help you decide and take the step forward to pursue the exam and pass with flying colours. We wish you the best in your cyber security journey.

SecOps Group Exams: https://secops.group/pentesting-exams/