This page is giving you a summary about my experience in obtaining the BSCP certification. There are also some tips and tricks for the exam in the end, which I think gives you a better chance for succeeding on it.
Overview#
BSCP is official described with:
The Burp Suite Certified Practitioner (BSCP) is an official certification for web security professionals, from the makers of Burp Suite. Becoming a Burp Suite Certified Practitioner demonstrates a deep knowledge of web security vulnerabilities, the correct mindset to exploit them, and of course, the Burp Suite skills needed to carry this out.
The course material is for free -> Web-Academy and spans in total 31 Topics, which are sorted in Server-side, Client-side and Advanced:
At time of writing there are in total 274 labs (61 Apprentice, 174 Practitioner, 39 Expert). You are expected to go through all topics and be proficient with labs until level Practitioner. So if you’re new to web security there is a lot of ground to cover. In addition some topics have learning paths, which have some deeper explanation, others do not. It seems like mostly newer topics get covered here. In addition it’s a platform that only grew in topics over the years. So it’s harder to do now than like 5 years ago (and maybe gets harder, if you wait any longer ;)).
The exam contains of:
2vulnerable web applications- which have
3vulnerabilities to exploit (not only detect) - the path is predetermined:
compromise any user account->get admin privileges->get arbitrary file read to exfiltrate the content of /home/carlos/secret
- which have
You have to exploit all 6 vulnerabilities successfully. There is no room for failure. The time limit is 4 hours. You don’t have to write any report. The exam is proctored. It’s completely open book, even AI is allowed. Price is $99, which is very reasonable. But you need also an active Burpsuite Pro license which set you back $499 additionally. Various people claim they did the exam with the one month trial version. I can’t confirm that, as I had a bought license. Even with the total cost of $598, it’s very reasonable priced in my opinion, as the academy is very broad and goes in depth.
Why did I choose this course?
After CPTS + OSCP+ I still felt in having some gaps in web topics. I especially wanted to dive into more advanced topics like:
Web cache poisoningHTTP request smuggelingPrototype pollutionXSS with WAF bypassing
Review#
Course#
I enjoyed the material and labs overall very much. Especially the labs are very short “snacks”, which you can do in a short spare time. The lab infrastructure is pretty solid. Only a few times I had hiccups, where I needed multiple tries until the lab was started. The labs are running on a short timer, until they stop, if there is no user detection. So I run a few time into the issue, that the lab closed on me, even tough I had not yet solved it.
With my previous knowledge I needed around a month until I finished 80% of all labs, which covered almost all topics. I only did a few Expert labs, those are out of scope and will not be in the exam. If you’re completely new to web security or cyber security, you would need at least 3 months in my guess and maybe some more resources like HackTheBox to be able to pass the exam. I would recommend doing BSCP only if you have at least basic web security knowledge and used Burpsuite before (I used Burpsuite for at least one year daily). I also valued the explanation of many functions like Burp collaborator and DOM Invader, which I didn’t use before, very much. I really began to understand how the many functions of Burpsuite with many more extensions work together to find vulnerabilities reliable and fast for any web application.
There are no specific modules I favoured over the other. Naturally I benefited the most from topics I haven’t dived into before. There was really only one topic, were I needed the linked videos from the community to fully understand it: HTTP request smuggeling.
I would rate the course 8/10 and can recommend it, if you want a broad, deep cover of the most common web vulnerabilities AND want to know how to detect and exploit them with the most used web application penetration tool: Burpsuite.
You can only enter the exam, if you solved the mandatory labs, did some mystery labs and passed at least one practice exam.
Exam#
The conditions of the exam make it quiet a pitfall to fall into. If you strive through various forums and blog post your read, that most people needed multiple attempts, until they mastered the exam. And yes I understand why. It is not because the exploits are much harder than on previous solved labs or the practice exam, but you really have to chain some techniques together, especially with a Web Application Firewall active and some outbound connections blocked. You need to be prepared, that even if you detect the vulnerability fast, you need to know how to bypass these basic protections on payloads. That was where most of my time went during the exam. I mostly detected the vulnerability for each stage in under 5 minutes. But to exploit it, you need the right payload or the right endpoint for it to work.
I passed the exam in my first attempt and needed approx. 2 hours for it. One application I solved fully in under 20 minutes. On the other I needed 50 minutes or more for just getting the initial exploit to work. I detected the vulnerability very fast with the burp scanner, but there were some hurdles, which weren’t covered in detail in the labs. So be prepared to think outside the box and chain techniques together. Be warned, that if you cannot exploit any confronted vulnerability you automatically fail the exam.
The automatic proctoring was very smooth, I had no problem at all. There is no human viewing you live, but everything (screens + webcam + microphone) is recorded and later together with your burp file reviewed. I got my result after 48 hours (tough I did the exam on a holiday, so maybe it would be even faster).
Tips & Tricks for Exam#
- The vulnerabilities are very close to the labs, but be prepared to exploit them in various ways (just copying the payload from the labs mostly does not work)
- There is fully web application waiting for you with a lot of functions, which are not vulnerable (in the labs you mostly had only one function, which was vulnerable).
- Make use of
Mystery Labsto be fast on the detection side. That’s not where you’re time should go. - Whenever you encounter a
SQL Injectionusesqlmap. It really makes you’re life easy. Don’t forget to copy the cookie into the header as well. And try different--tamperoptions to bypass anyWAF. - For
XSSuse the portswigger cheatsheet -> https://portswigger.net/web-security/cross-site-scripting/cheat-sheet. It also has aWAF bypasslist, make use of it. - For any vulnerability on
Stage 3, which involves arbitrary commands (f.e.OS Command InjectionorSSTI) learn how to doOOBexfiltration viaDNSwithBurp collaborator. Expect that any other outbound connection is rejected. - Do both
Practice Exams, they mirror the exam environment really well. Tough don’t expect the same vulnerabilities on the exam. - Don’t use any full fledged scans. You don’t have time for that. You’re much faster if you do targeted request or parameter scans.
- Use
HTTP request smugglingextension withSmuggle Probefor detection of any vulnerabilities of this sort. - Use
Param miner, especially to detect additional headers forWeb cache poisoning. - Carefully read exam instructions:
- There is only one user per application
- If
SSRFis in play, it’s on port6566 - If you need to enumerate users or bruteforce a login, there is a given
userandpasswordlist.
- Most importantly look at table below, which explains, that certain vulnerabilities are only covered in later stages and vice versa:
| Category | Stage 1 | Stage 2 | Stage 3 |
|---|---|---|---|
| SQL Injection | ✔️ | ✔️ | |
| Cross-site scripting | ✔️ | ✔️ | |
| Cross-site request forgery (CSRF) | ✔️ | ✔️ | |
| Information disclosure | ✔️ | ✔️ | |
| DOM-based vulnerabilities | ✔️ | ✔️ | |
| Cross-origin resource sharing (CORS) | ✔️ | ✔️ | |
| XML external entity (XXE) injection | ✔️ | ||
| Server-side request forgery (SSRF) | ✔️ | ||
| HTTP request smuggling | ✔️ | ✔️ | |
| OS command injection | ✔️ | ||
| Server-side template injection | ✔️ | ||
| Directory traversal | ✔️ | ||
| Access control vulnerabilities | ✔️ | ✔️ | |
| Authentication | ✔️ | ✔️ | |
| Web cache poisoning | ✔️ | ✔️ | |
| Insecure deserialization | ✔️ | ||
| HTTP Host header attacks | ✔️ | ✔️ | |
| OAuth authentication | ✔️ | ✔️ | |
| File upload vulnerabilities | ✔️ | ||
| JWT | ✔️ | ✔️ |
You might notice I only listed 20 out of 31 topics. That’s because only these labs are covered on Mystery Labs. I don’t know if the other topics are in the exam, but I can say they were not in mine. So I would focus on this list. In addition on my exam, there were six different vulnerabilities. My guess is you wouldn’t get two apps, which f.e. both have a XSS vulnerability. But this is only my assumption.
If you failed your exam, heads up, use it as an additional training motivation. The exam is in my opinion cheap, so it shouldn’t be a problem to fail once or twice.