Get Burp Suite Certified for $99

Practice exam

PortSwigger

The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite skills. It is built and designed by PortSwigger Research, the same minds who brought you the Web Security Academy. Before you get started on the practice exam, make sure you've read all the hints and tips on this page.

How does the practice exam work?

The practice exam is designed to simulate the environment of a real test situation, and will cover a variety of vulnerability classes and exploits.

The exam contains links to several web applications, from which you must find and exploit the vulnerabilities present.

To progress through stages, you need not only to identify vulnerabilities, but also exploit them. For example, if you identified an XSS vulnerability, triggering "alert" execution won't be enough to get access to the next stage: you need to actually exploit it against one of the simulated users and steal their session. Likewise, for SQL Injection vulnerabilities, you need to extract credentials from the database and use them to access the target account.

Before you start your practice exam ...

Make sure you are comfortably able to do all of the below:

We've created a guide to augmenting your manual testing with Burp Scanner, to make sure you've got to grips with the full scope of scanning you'll need to perform during the exam. The exam also requires you to be able to adapt your attack methods to bypass broken defenses - specifically - obfuscating attacks using encodings.

Useful resources for your practice exam

As the exam is open book, you'll be able to access all of the below resources during your real exam, but it will help you to be familiar with them during your practice exam so that you're as prepared as possible.

Here are links to some resources you may want to have to hand when you take the exam:

How is the practice exam different to the real exam?

There is one key difference between the practice exam and the real exam.

Practice exam: You can restart the exam as often as you need, and retake the exam as many times as you like until you feel prepared.

Real exam: You cannot restart the exam - as soon as your exam timer starts you are committed to the exam session.

Make sure that you take the practice exam as many times as is necessary before you attempt the real exam - your revision and preparation are in your hands.

Part of being a professional is handling responsibility. While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.

Ready to take the practice exam?

The practice exam is there to allow you to get used to the format the real exam will use. It should also help you to gauge the difficulty level of the exam, and therefore judge for yourself whether you are at the required skill level to gain the certification.

There are no restrictions on the amount of times you may take the practice exam, and you may also quit the test simulation and begin again.

If you're already logged in to your PortSwigger user account, as soon as you hit the button below you'll be directed into the practice exam environment. If you're not yet logged in, when you hit the button below you'll be asked to log in before being directed to the practice exam start page.