Get Burp Suite Certified for $99

How to get your certification

PortSwigger

The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite skills. By achieving this certification, you can showcase your expertise to potential clients, demonstrate your abilities to prospective employers, and bring accreditation to your personal career development.

Overview

We have created this certification in collaboration with a third-party proctoring service, called Examity. The exam itself will follow a process fairly similar to that of the labs within the Web Security Academy, and the practice exam, but in order to take the exam you will first need to go through an identity verification process with Examity..

To become a Burp Suite Certified Practitioner, you will need to work through the following steps:

  1. Book your certification exam.

  2. Create a user profile with Examity.

  3. Check the system requirements.

  4. Take your certification exam.

  5. Get your certification results.

You'll need a Burp Suite Professional subscription to take the exam.

Please note that before you take the final exam, you will need access to Burp Suite Professional. Get a subscription to Burp Suite Professional now, if you don't already have one.

Booking your exam

Once you have made the payment for your Burp Suite Certified Practitioner exam, you will be directed through to Examity. This is our third-party proctoring platform, where you will need to officially book your exam.

How does a proctoring service work?

We have partnered with Examity, our third-party proctoring platform, to make your exam experience as secure as possible. The process is very simple, and involves an ID check and security question verification - these are both carried out with a live proctor. Your ID check and security question verification will be recorded, and you will be unable to pass the exam until Examity have verified your ID check.

The confirmation for your exam booking will be sent from Examity, so please ensure that you retain a copy of this information as we (PortSwigger) will be unable to replicate it for you.

Creating a user profile

In order to complete your exam, you will need to create an Examity profile. This will be a requirement when you have booked your certification exam. The things you will need to complete this profile are as follows:

  1. Your phone number and time zone. Including your time zone is vitally important, as this will allow the proctoring appointments to be set at the correct time for you.

  2. A photo of a government-issued photo ID. This can be a driver's license, passport, military identification card, or another form of acceptable ID. Just be sure that your name and photo are visible and that the image is clear and bright enough to be easily read. Please note: you will need to have this ID with you on exam day to verify your identity.

  3. Three "challenge" (security) questions and answers.

Taking the exam

In order to take the exam, you will first need to log in to your PortSwigger user account. You will find a button labeled "Take exam", which you will be able to use to begin the process of taking your exam. By clicking this button, you will begin the official exam process, including the verification by our live-proctoring service Examity. Once you have successfully completed the live proctoring session, Examity will enter your verification unique code and your exam will begin.

You will have three hours to complete the Burp Suite Certified Practitioner exam. Each application contains deliberate vulnerabilities, which means it can be completed in three stages:

  1. Stage 1: Access any user account.

  2. Stage 2: Use your user account to access the admin interface at /admin, perhaps by elevating your privileges or compromising the administrator account.

  3. Stage 3: Use the admin interface to read the contents of /home/carlos/secret from the server's filesystem, and submit it using "submit solution".

There is always an administrator account with the username "administrator", plus a lower-privileged account usually called "carlos". If you find a username enumeration vulnerability, you may be able to break into a low-privileged account using the following username list and password list.

Each application has up to one active user, who will be logged in either as a user or an administrator. You can assume that they will visit the homepage of the site every 15 seconds, and click any links in any emails they receive from the application. You can use exploit server's "send to victim" functionality to target them with reflected vulnerabilities.

If you find an SSRF vulnerability, you can use it to read files by accessing an internal-only service, running on localhost on port 6566.

Host header attacks are fair game, but the _lab and _lab_analytics cookies are part of the core exam functionality - please don't waste your time tampering with them.

To understand the skills required to take this exam, please refer to the prepare for the exam page.

Hints

We expect the three stages to be completed in order. This means that if you are in an application, attempting to break into the admin interface is a waste of time if you haven't yet got access to a user account. Likewise, we do not recommend attempting to read files if you don't have access to an admin account.

We restrict outbound traffic from the vulnerable servers to the internet. You won't be able to connect back to any internet server, except for burpcollaborator.net and the integrated exploit server. You can use the integrated exploit server to deliver any kind of payload to the vulnerable application or simulated user.

To progress through stages, you need not only to identify vulnerabilities, but also exploit them. For example, if you identified an XSS vulnerability, triggering "alert" execution won't be enough to get access to the next stage: you need to actually exploit it against one of the simulated users and steal their session. Likewise, for SQL Injection vulnerabilities, you need to extract credentials from the database and use them to access the target account. You don't need to worry about tedious dumping of all database content though: all tables, columns, and local files are easily guessable and require just a couple of minutes to manually extract the required password or token.

Scanning selected pages and insertion points with Burp Suite Professional will often help you quickly progress through the exam. Attempting a full application scan will not be feasible in the exam time frame.

The victim user is running Chromium. When using the XSS Cheat Sheet, focus on vectors that work on Chrome. If your XSS attack works in Chrome or Burp Browser, chances are it'll work on the victim.

You are welcome to use third party automated tools to solve the exam, but you will often find manual exploitation is faster. Although some of the vulnerabilities are tricky to find, we do not intentionally hide files or pages that contain them. You never need to guess folders, filenames or parameter names.

Requirements

The following sections will outline all of the requirements for the exam. Please make sure you have read through these sections thoroughly before booking your certification exam.

Identity verification

Before you can begin the Burp Suite Certified Practitioner exam, you will need to go through the proctoring process with our third-party proctoring service, Examity. The process follows these steps:

  1. Using a process called live authentication, the live proctor will verify that the ID on file matches with the ID you have brought to the test. They will then compare the two with a real-time webcam feed of you in your test environment.

  2. The proctor will then ask you one of the three "challenge" (security) questions, that you created when you made your user profile with Examity.

  3. You will then need to submit your digital signature.

When you have successfully completed all of the required proctoring stages, you will be given access to the exam.

Exam conditions

You must not communicate or attempt to communicate with anyone during the exam. We advise taking the practice exam under similar conditions in order that you are properly prepared.

Proficiency/skill

In order to successfully attempt the Burp Suite Certified Practitioner exam, you must be able to complete all labs labeled "Practitioner" or lower within the Web Security Academy, without requiring use of the solutions provided. For more details, please refer to the how to prepare for the exam page.

Language

All exam materials will be presented in English. If you can comfortably read the learning materials within the Web Security Academy, and all of the exam guidance pages, the exam will not present you with any language-based challenges.

System

Operating system:

  • MacOS X 10.5 or higher.

  • Windows Vista or higher.

  • ChromeOS.

Please note that our proctoring service, Examity, does not support Linux.

Browser:

  • Google Chrome - please disable your pop-up blocker.

Hardware:

  • Desktop or laptop.

  • Built-in or external webcam.

  • Built-in or external microphone.

  • Built-in or external speakers.

Please note that tablets and mobile devices are not supported.

Internet:

  • An upload and download speed of 2Mbps.

  • Hot spots are not recommended as a reliable internet connection is essential.

Software:

  • Burp Suite Professional. Please note that it will not be possible for you to complete the exam with any software other than Burp Suite Professional.

Your exam results

We will notify you by email with your results. If you successfully pass the Burp Suite Certified Practitioner exam, you will receive your certificate by email. If you failed the exam, we will let you know by email. We will also provide you with resources and guidance to help you prepare for re-booking your certification exam.

If you successfully pass the exam, and become a Burp Suite Certified Practitioner, make sure you let the world know! Add your certification status to your social channels and profiles, and let your employers and prospective employers know.

If your employer (or prospective employer) wishes to validate your certification, you will need to share the unique code on your certificate and the link to the validation platform.