The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite skills. It is built and designed by PortSwigger Research, the same minds who brought you the Web Security Academy. Before you get started on the practice exam, make sure you've read all the hints and tips on this page.
The practice exam is designed to simulate the environment of a real test situation, and will cover a variety of vulnerability classes and exploits.
The exam contains links to several web applications, from which you must find and exploit the vulnerabilities present.
To progress through stages, you need not only to identify vulnerabilities, but also exploit them. For example, if you identified an XSS vulnerability, triggering "alert" execution won't be enough to get access to the next stage: you need to actually exploit it against one of the simulated users and steal their session. Likewise, for SQL Injection vulnerabilities, you need to extract credentials from the database and use them to access the target account.
Make sure you are comfortably able to do all of the below:
Complete all of the labs within the Web Security Academy labeled "Practitioner" or lower without requiring access to the solutions provided.
Use Burp Suite Professional to quickly identify weaknesses and potential attack points.
Confidently use Burp Suite Professional's manual tools to aid exploitation.
Utilize the correct tools to perform out-of-band attacks.
We've created a guide to augmenting your manual testing with Burp Scanner, to make sure you've got to grips with the full scope of scanning you'll need to perform during the exam. The exam also requires you to be able to adapt your attack methods to bypass broken defenses - specifically - obfuscating attacks using encodings.
As the exam is open book, you'll be able to access all of the below resources during your real exam, but it will help you to be familiar with them during your practice exam so that you're as prepared as possible.
Here are links to some resources you may want to have to hand when you take the exam:
There is one key difference between the practice exam and the real exam.
Practice exam: You can restart the exam as often as you need, and retake the exam as many times as you like until you feel prepared.
Real exam: You cannot restart the exam - as soon as your exam timer starts you are committed to the exam session.
Make sure that you take the practice exam as many times as is necessary before you attempt the real exam - your revision and preparation are in your hands.
Part of being a professional is handling responsibility. While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.
The practice exam is there to allow you to get used to the format the real exam will use. It should also help you to gauge the difficulty level of the exam, and therefore judge for yourself whether you are at the required skill level to gain the certification.
There are no restrictions on the amount of times you may take the practice exam, and you may also quit the test simulation and begin again.
If you're already logged in to your PortSwigger user account, as soon as you hit the button below you'll be directed into the practice exam environment. If you're not yet logged in, when you hit the button below you'll be asked to log in before being directed to the practice exam start page.