Practical Junior Web Tester - PJWT

Practical Junior Web Tester - PJWT

I want to share the approach I took to study for and pass the PJWT certification.

What is PJWT?

The PJWT, or Practical Junior Web Tester certification from TCM Security, tests your ability to evaluate a web application using the OWASP TOP 10 methodology. It also assesses whether you can professionally report vulnerable components, and suggest appropriate mitigations.

To pass the exam, you need to assess a web application for 48 hours and then use an additional 48 hours to write and submit a report with your findings and recommendations.

Exam resources

After you buy the exam you will receive lifetime access to the training materials(videos + hands-on labs), an exam attempt and additional free retake.

What is really nice about TCM Academy, is that the resources provided along with the exam attempt are more than enough in order to clear the exam.

Learning Phase

The videos are doing a great job on presenting the theoretical side of the vulnerabilities covered by the OWASP 10, while the hands-on labs are covering the practical side of the course.

Notes, notes, notes...

You should have an app or a website which will help you take notes along the way. Please allocate time to take notes about the vulnerabilities and the exploits you are using in order to trigger the vulnerabilities. I can not emphasize enough how important this step is, having those documented will help you in the following ways:

  • You will understand better the training material

  • You will have quick stop whenever you forgot something

  • During the exam those will help you make sure you did not forget anything while applying your testing methodology

Labs

You should do the labs 2 times, or at least one time and have notes for every tool and exploit you have used.

Exam Time

How it goes

You do not need to schedule the exam, you can start it whenever you want. After you start the exam, you will receive access to the app and you will have 48 hours to test the app. When the time is up, you will get 48 hours to submit the report.

Tips and Tricks

Try to schedule the exam on Friday, or close to the weekend, if you do not have experience taking practical offensive exams, you should be on the safe side and give you enough time to assess the application and time for writing the report.

Are the videos and labs enough?

The learning materials will be enough for you to pass the exam, so if you have good notes, those will come in handy during the exam. I recommend you to follow the methodology presented during the training, and be very thorough when you test the web application functionalities. Trust me, you do not want to jump in every direction, that could lead on missing important findings and make it harder to take notes.

Screenshots, Screenshots, Screenshots

Take screenshots and document whenever you are discovering something, it will save you a lot of time when you are starting the reporting side of the exam.

Take breaks

This is a beginner exam, if you have studied the course material and took notes, you should be able to clear it, that's why you should take breaks. I am not going to lie, I have been stuck one time during the exam, and I was trying to push and look in any direction to find what I was missing, guess what, going to sleep, and having 7h of sleep help me have a clear mind and I have woke up with the solution to my problem. Please take breaks, in the long run, they will save you time and energy.

Please read this

You should do your research on how to write a report and what kind of template you are going to use. The course provides both, but I recommend you to really put time into it understanding how to report, and find the application you are going to use edit and create your template. I have not put too much time into this before the exam, and in the end this end up being something time consuming during my exam attempt.

Extremely underrated but valuable Final TIP

If you are reading this, around Black Friday season or Memorial Day time, TCM Security is running 50% discount offers to their platform courses. You can end up paying 15$ (normally would be 30$) and an entire month access to all their courses, but you would be interested in the API Security Testing one. That course is not very long but is going to expose and make you more familiar on how to interact and assess APIs. The lab application which comes with the course, will be a great opportunity for you to see different web vulnerable applications and get used on using Burp and FFUZ. That training is not required in order to pass the PJWT exam but, you get better on assessing web applications by assessing more web applications.

Final Thoughts

I am looking forward in the next couple of months to prepare and clear the Practical Web Penetration Tester(PWPT) exam from TCM. Be sure that you will find the article on my blog describing how that went. :)

Good luck with your exam attempt, it will be a very fun and rewarding experience!!!