The Burp Suite Certified Practitioner exam is challenging, and heavily focused on problem-solving. Obtaining this certification proves that you have a deep knowledge of web vulnerability classes, and the skills required to discover and exploit them. To be successful, you need to demonstrate a number of skills and abilities. The best way to prepare for the exam depends on your level of experience.
If you're still developing your web security knowledge, we recommend the following approach:
If you already have extensive web security experience, you don't necessarily need to work your way through the entire Web Security Academy before sitting the Burp Suite Certified Practitioner exam. Completing the steps outlined below will help you to:
Work through all of the labs on the list at the link below, completing each lab in turn. There is no set time frame for completing the labs, but you must be able to do so without requiring access to the solutions provided.
If you're unable to complete the lab you selected, go back to the learning materials and read through the content carefully, working through all the labs in that topic to make sure you're comfortable with the vulnerability class and exploit techniques it covers.
These labs have been selected because they reinforce core web security testing skills - such as understanding encodings and using them to evade defences, and proficiency in exploiting cross-user attacks. These specific labs support your exam preparation in terms of skill development, but they are in no way a list of the components you'll be expected to solve to complete the exam.
Use the mystery lab challenge below to spin up five practitioner-level randomized lab challenges - you'll have to try and work out how to solve each challenge with no context, exactly as you would when performing recon in a real-world testing environment.
In some of the labs, you have access to your own account with the credentials
wiener:peter. If you can enumerate usernames, you may also be able to brute-force the login using the following
username and password wordlists.
The practice exam is designed to be a realistic test of all your web security skills. It will also allow you to get used to the format the real exam will use. Before you take the practice exam, read through the exam hints and guidance for some tips and advice to help you succeed.
If you are unable to pass the practice exam, we strongly suggest that you work through the steps outlined in this guide again to further hone your skills.
You have two hours to complete the practice exam, which contains one vulnerable application for you to exploit.