Ready to take the exam? Here's what you need to know.
The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite Professional skills. It is built and designed by PortSwigger Research, the same minds who brought you the Web Security Academy. Before you get started on the practice exam, make sure you've read all the hints and tips on this page.
The practice exam is designed to simulate the environment of a real test situation, and will cover a variety of vulnerability classes and exploits.
The exam contains links to several web applications, from which you must find and exploit the vulnerabilities present.
To progress through stages, you need not only to identify vulnerabilities, but also exploit them. For example, if you identified an XSS vulnerability, triggering "alert" execution won't be enough to get access to the next stage: you need to actually exploit it against one of the simulated users and steal their session. Likewise, for SQL Injection vulnerabilities, you need to extract credentials from the database and use them to access the target account.
Make sure you are comfortably able to do all of the below:
Complete all of the labs within the Web Security Academy labeled "Practitioner" or lower without requiring access to the solutions provided.
Capably perform the exploits outlined within the exploiting XSS labs, in the XSS topic.
Have a go at solving labs generated by the mystery lab challenge.
Use Burp Suite Professional to quickly identify weaknesses and potential attack points.
Confidently use Burp Suite Professional's manual tools to aid exploitation.
Utilize the correct tools to perform out-of-band attacks.
We've created a guide to using Burp Scanner during manual testing, to make sure you've got to grips with the full scope of scanning you'll need to perform during the exam. The exam also requires you to be able to adapt your attack methods to bypass broken defenses - specifically - obfuscating attacks using encodings.
Unlike when you complete labs on the Web Security Academy, during the exam you'll have no prior knowledge of the type of vulnerability that you need to find and exploit. Use the mystery lab challenge below to spin up a randomized lab that you'll have to try and work out how to solve with no context, just like in the exam.
In some of the labs, you have access to your own account with the credentials
wiener:peter. If you can enumerate usernames, you may also be able to brute-force the login using the following
username and password wordlists.
As the exam is open book, you'll be able to access all of the below resources during your real exam, but it will help you to be familiar with them during your practice exam so that you're as prepared as possible.
Here are links to some resources you may want to have to hand when you take the exam:
Make sure that you take the practice exam as many times as is necessary before you attempt the real exam - your revision and preparation are in your hands.
Part of being a professional is handling responsibility. While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.
The practice exam is there to allow you to get used to the format the real exam will use. It should also help you to gauge the difficulty level of the exam, and therefore judge for yourself whether you are at the required skill level to gain the certification.
There are no restrictions on the amount of times you may take the practice exam, and you may also quit the test simulation and begin again.
If you're already logged in to your PortSwigger user account, as soon as you hit the button below you'll be directed into the practice exam environment. If you're not yet logged in, when you hit the button below you'll be asked to log in before being directed to the practice exam start page.