Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact Resellers

Get Burp Suite Certified for $99

How to get your certification

Get certified Take practice exam
PortSwigger

Ready to take the exam? Here's what you need to know.

The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite skills. By achieving this certification, you can showcase your expertise to potential clients, demonstrate your abilities to prospective employers, and bring accreditation to your personal career development.

Overview

We have created this certification in collaboration with a third-party automated proctoring service, called Examity. The exam itself will follow a process fairly similar to that of the labs within the Web Security Academy, and the practice exam, but in order to take the exam you will first need to go through an automated identity verification process with Examity.

To become a Burp Suite Certified Practitioner, you will need to work through the following steps:

  1. Purchase your certification exam.

  2. Create a user profile with Examity.

  3. Check the system requirements.

  4. Take your certification exam.

  5. Get your certification results.

You'll need a Burp Suite Professional subscription to take the exam.

To undertake the certification exam, you will need access to an active subscription of Burp Suite Professional. Get a subscription to Burp Suite Professional now, if you don't already have access to a separate license.

Purchasing your exam

You can purchase a Burp Suite Certified Practitioner exam from your PortSwigger user account. Once you have purchased your exam, you will need to create a user account with Examity. This is our third-party proctoring platform, who will perform your automated identity verification before your exam starts.

How does an automated proctoring service work?

We have partnered with Examity, an automated proctoring platform, to make your exam experience as secure as possible. The process is very simple, and involves an ID check and security question verification - these are both carried out with an automated proctor. Your ID check and security question verification will be recorded, and you will be unable to pass the exam until Examity have verified your ID check.

Purchase your Burp Suite Certified Practitioner exam now

Creating a user profile

In order to complete your exam, you will need to create an Examity profile. This is a requirement for taking your certification exam. The things you will need to complete this profile are as follows:

  1. Your phone number and time zone.

  2. A photo of a government-issued photo ID. This can be a driver's license, passport, military identification card, or another form of acceptable ID. Just be sure that your name and photo are visible and that the image is clear and bright enough to be easily read. Please note: you will need to have this ID with you on exam day to verify your identity.

  3. Three "challenge" (security) questions and answers.

Taking the practice exam

Before you take your real exam, we strongly advise that you take our practice exam. The practice exam is designed to simulate the environment of a real test situation, and will cover a variety of vulnerability classes and exploits.

The practice exam is there to allow you to get used to the format the real exam will use. It should also help you to gauge the difficulty level of the exam, and therefore judge for yourself whether you are at the required skill level to gain the certification.

There are no restrictions on the amount of times you may take the practice exam, and you may also quit the test simulation and begin again.

Take practice exam

What the exam involves

In order to take the exam, you will first need to log in to your PortSwigger user account. You will find a button labeled "Take exam", which you will be able to use to begin the process of taking your exam. By clicking this button, you will begin the official exam process, including the verification by our automated proctoring service Examity. Once you have successfully completed the automated proctoring session, your unique verification code will be automatically entered by Examity and your exam will begin.

You will have four hours to complete the Burp Suite Certified Practitioner exam. There are two applications, and each application contains deliberate vulnerabilities. This means that each application can be completed in three stages:

  1. Stage 1: Access any user account.

  2. Stage 2: Use your user account to access the admin interface at /admin, perhaps by elevating your privileges or compromising the administrator account.

  3. Stage 3: Use the admin interface to read the contents of /home/carlos/secret from the server's filesystem, and submit it using "submit solution".

There is always an administrator account with the username "administrator", plus a lower-privileged account usually called "carlos". If you find a username enumeration vulnerability, you may be able to break into a low-privileged account using the following username list and password list.

Each application has up to one active user, who will be logged in either as a user or an administrator. You can assume that they will visit the homepage of the site every 15 seconds, and click any links in any emails they receive from the application. You can use exploit server's "send to victim" functionality to target them with reflected vulnerabilities.

If you find an SSRF vulnerability, you can use it to read files by accessing an internal-only service, running on localhost on port 6566.

Host header attacks are fair game, but the _lab and _lab_analytics cookies are part of the core exam functionality - please don't waste your time tampering with them.

To understand the skills required to take this exam, please refer to the prepare for the exam page.

Hints

We expect the three stages to be completed in order. This means that if you are in an application, attempting to break into the admin interface is a waste of time if you haven't yet got access to a user account. Likewise, we do not recommend attempting to read files if you don't have access to an admin account.

We restrict outbound traffic from the vulnerable servers to the internet. You won't be able to connect back to any internet server, except for burpcollaborator.net and the integrated exploit server. You can use the integrated exploit server to deliver any kind of payload to the vulnerable application or simulated user.

To progress through stages, you need not only to identify vulnerabilities, but also exploit them. For example, if you identified an XSS vulnerability, triggering "alert" execution won't be enough to get access to the next stage: you need to actually exploit it against one of the simulated users and steal their session. Likewise, for SQL Injection vulnerabilities, you need to extract credentials from the database and use them to access the target account. You don't need to worry about tedious dumping of all database content though: all tables, columns, and local files are easily guessable and require just a couple of minutes to manually extract the required password or token.

Scanning selected pages and insertion points with Burp Suite Professional will often help you quickly progress through the exam. Attempting a full application scan will not be feasible in the exam time frame.

The victim user is running Chromium. When using the XSS Cheat Sheet, focus on vectors that work on Chrome. If your XSS attack works in Chrome or Burp Browser, chances are it'll work on the victim.

Burp Suite Professional provides the essential functionality to solve the exam. Some vulnerabilities are easier to solve with the following third party tools: ysoserial and HTTP Request Smuggler. These tools are used by certain labs at the "Practitioner" level. We recommend caution when using other tools - they may turn out not to be suitable for your objective.

Although some of the vulnerabilities are tricky to find, we do not intentionally hide files or pages that contain them. You never need to guess folders, filenames or parameter names.

Solutions

If you come up with a solution that doesn't work as expected, we can offer some general advice on what to do:

  1. If you're attacking the victim user, test the attack out on your own browser first. Pay close attention to the HTTP traffic sequence in Burp.

  2. If your solution is adapted from an Academy lab, try to analyze how the application differs from the lab.

  3. Try to identify any assumptions you're making, and put them to the test.

  4. Refer back to the skill set the certification aims to prove.

Requirements

The following sections will outline all of the requirements for the exam. Please make sure you have read through these sections thoroughly before purchasing your certification exam.

Identity verification

Before you can begin the Burp Suite Certified Practitioner exam, you will need to go through the proctoring process with our third-party automated proctoring service, Examity. The process follows these steps:

  1. Using a process called automated authentication, the automated proctor will verify that the ID on file matches with the ID you have brought to the test.

  2. The automated proctor will then ask you to provide an answer one of the three "challenge" (security) questions, that you created when you made your user profile with Examity.

When you have successfully completed all of the required automated proctoring stages, you will be given access to the exam.

Exam conditions

You must not communicate or attempt to communicate with anyone during the exam. We advise taking the practice exam under similar conditions in order that you are properly prepared.

Proficiency/skill

In order to successfully attempt the Burp Suite Certified Practitioner exam, you'll need to be capable of completing all labs labeled "Practitioner" or lower within the Web Security Academy, without requiring use of the solutions provided. For more details, please refer to the how to prepare for the exam page.

Language

All exam materials will be presented in English. If you can comfortably read the learning materials within the Web Security Academy, and all of the exam guidance pages, the exam will not present you with any language-based challenges.

System

Operating system:

  • MacOS X 10.5 or higher.

  • Windows Vista or higher.

  • ChromeOS.

Please note that our automated proctoring service, Examity, does not support Linux.

Browser:

  • Google Chrome - please disable your pop-up blocker.

Hardware:

  • Desktop or laptop.

  • Built-in or external webcam.

  • Built-in or external microphone.

  • Built-in or external speakers.

Please note that tablets and mobile devices are not supported.

Internet:

  • An upload and download speed of 2Mbps.

  • Hot spots are not recommended as a reliable internet connection is essential.

Software:

  • Burp Suite Professional. Please note that it will not be possible for you to complete the exam with any software other than Burp Suite Professional.

Get Burp Suite Professional

Your exam results

We will notify you by email with your results. If you successfully pass the Burp Suite Certified Practitioner exam, you will receive your certificate by email. If you failed the exam, we will let you know by email. We will also provide you with resources and guidance to help you prepare for re-booking your certification exam.

If you successfully pass the exam, and become a Burp Suite Certified Practitioner, make sure you let the world know! Add your certification status to your social channels and profiles, and let your employers and prospective employers know.

If your employer (or prospective employer) wishes to validate your certification, you will need to share the unique code on your certificate and the link to the validation platform.

How to prepare for the exam?

Read more

Take the practice exam

Read more

Ready to take the exam? Here's how it works.

Read more

Purchase your certification exam

Buy now