The CREST Certified Web Application Tester examination is an assessment of the candidate’s ability to find vulnerabilities in bespoke web applications. The examination uses specially designed applications running on a variety of web application platforms and now covers a wider scope than purely traditional web applications to include more recent advances in the field of web application technology and security. The candidate will be expected to demonstrate that they are able to find a range of security flaws and vulnerabilities, including proving the ability to exploit and leverage the flaws to ascertain the impact of the issues found.
In addition to traditional web application security, it is advised that candidates familiarise themselves with the following topics which are included in the practical examination and also may be included in the written components:
- Flash Application Testing
- .Net Thick Clients
- Java Applets
- Identification of functionality within client-side code that is accessible only to privileged users
- Vulnerabilities in increasingly prevalent application frameworks – e.g. Rails
- Identification of more recent SSL vulnerabilities – e.g. BEAST
- HTTP Header Fields relating to security features – e.g. HSTS
- Decompilation of client-side code – e.g. Flash, Java, .Net
- Web Server security misconfigurations – e.g. WebDAV
The format is the same for both the Infrastructure and Application Certified Tester exams. The candidate will be expected to possess not only the technical ability to find security weaknesses and vulnerabilities, but also the skills to ensure findings are presented in a clear, concise and understandable manner. The examination consists of three tasks:
- A multiple-choice written examination
- A hands-on practical examination (in two parts – see below wef 1 April 2019)
To pass the exam, the candidate must pass all sections. The written element of the examination is delivered at Pearson Vue test centres; the practical element of the examination is delivered at a CREST examination centre. Candidates must hold a valid pass in the written element of this examination in order to book to sit the practical element.
With effect from 1 April 2019, the structure of the practical component is changing. From this date, it will be split into two sequential sections and be five hours in duration. The first component will comprise a Scenario question demarcated from the practical component and designed to mimic the skills required to perform a build review and author a client report on the findings. The second component will be a practical test (now referred to as an Assault Course).
Please be assured that there has been no change to the standard required nor the syllabus content; the change is merely structural and includes the requirement to write a written report (Scenario) rather than answer a number of shorter, long-form style questions.