My experience (and tips) on the Burp Suite Certified Practitioner exam

Last year I got my master’s degree in Computer Science here in Italy and I started working in a cyber-security startup. Needles to say that I actually never stopped studying even after getting the degree. I am positive that to become one of the good ones in my job it is mandatory to keep learning and learning every day.

So I started looking out at cyber-security certifications when the new Burp Suite Certified Practitioner popped in. It was December 2021 and PortSwigger made everyone a gift by lowering the price of the exam to just 9 dollars (something like that). I quickly both the exam, but I was not ready to take the exam so I waited, studied, read articles about the exam, collected tips & tricks from everyone that already passed the exam. In March 2022 I decided to try it, I felt ready. I failed. But let me give you a spoiler, this story has a happy ending because the other day I finally got my Burp Suite Certified Practitioner certification!

This post contains my opinions and tips about the exam to help you pass the exam. I think this is enough for an introduction: let’s go!

How the exam works

This is a small paragraph that describes how the Burp Suite Certified Practitioner exam works. If you are familiar with the exam process you can skip to the next paragraph.

The exam lasts (at the time of this writing) 4 hours. During these for hours 2 labs must be completed. Each lab has 3 phases that must be completed to conclude a lab:

1. Obtain access to a non-privileged user
2. Escalate your privileges to administrator
3. Read the content of the /home/carlos/secret file

You need to have a working Professional license because you may have to perform out-of-band exfiltration on your Burp Collaborator instance.

My experience (and fails)

As I told you the first time I tried the exam I failed. That’s not the whole story: I failed 4 times before passing it and I want to tell you about each one of these fails because every fail has taught me something.

First fail

As I said when I tried the first time I felt I was ready. I had completed all the Apprentice and Practitioner labs that are available on the Web Security Academy. I started the exam and I think I was a little bit too anxious.

I took 3 hours and 20 minutes to complete 5 phases out of 6. There was just the last phase of one lab missing and I was not able to unravel it in the time I had left.

Result → Failed

First lesson learned: be fast

The lesson here is pretty easy: you have to be fast. I suggestion I give to everyone is to have a series of PoC already prepared before starting the exam and try the easy things first. A working workflow could be to start a scan of critical issues only while also manually looking for vulnerabilities.

Second fail

I got pretty nervous and after a couple days I bought another exam and tried it right away. This time I had a bunch of PoC already prepared and, to tell the truth, the phases looked easier to me. I took 2 hours and 20 minutes to complete 5 phases out of 6. I had more than 1 hour and half to complete the last part and I miserably failed.

Result → Failed

Second lesson learned: be aware of rabbit holes

In one of my later attempts I got the same last part that made me fail this time and I was just looking at it the wrong way. I thought it was a different kind of vulnerability and I spent almost two hours trying to exploit it. I could have spent event 100 hours, the vulnerability was another one. It was a rabbit hole, so keep this in mind and don’t focus too much on just one kind of vulnerability, keep and open mind while you do the exam.

Third fail

My third fail was the worst. I was going real fast and I also got some vulnerabilities I got in the past tries. I took 1 hour and 30 minutes to complete 5 phases out of 6. The last phase was once again a vulnerability I already found, it was the same that caused me my first fail. So I was really thrilled and happy because it felt like a way to get a revenge.

As I said I got really angry because I did the stupidest thing ever: I deleted my user by mistake when 2 hours were left and I was not able to continue the exam. I just watched the countdown reach zero while I wanted to destroy everything.

Result → Failed

Third lesson learned: read the PortSwigger rules

PortSwigger itself gives you a lot of tips to complete the exam, one of them is the following:

While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.

That’s what happened to me. So the lesson is pretty clear: be sure to know every rule before starting the exam.

Fourth fail

The fourth (and last) fail was the most mysterious one to me. It is also the only fail when I was not able to reach 5 phases out of 6. I got stuck for 2 hours and 35 minutes on the second phase of a lab. Even now I don’t know what had to be done in order to exploit that vulnerability. This time it seems there are no lessons to be learned, but you’re wrong.

Result → Failed

Fourth lesson learned: think out of the box

Think out of the box

This must be your mantra while doing the exam. I’m pretty sure I had to think in a different way to overcome that phase. Since I want to know what was the solution to that point I also invite anyone who reads this post to contact me privately to discuss about it (at the end of the post there is also the link to verify my exam so you can understand I am not trying to cheat on it).

The happy ending

The spoiler I gave you earlier is here.

A couple days ago I finally managed to pass the exam. I also did a pretty good result since I completed all the 6 phases in about 2 hours. I got 4 phases that I already got in previous phases (with slightly different changes) so I was extremely ready for them and the one ones were not so difficult. This is the code to check that I successfully completed the exam:

• DCA5D34D8253992D

The link to check it is this one.

The best thing was that the last phase I completed was the one I encountered on fail #1 and fail #3. So it was a great satisfaction to be able to finally solve it.

To conclude, the lessons learned are:

• Never stop chasing your goals
• Try harder, always

The last lesson also gives you a suggestion on my next goal!