How to get your certification

Overview

The exam follows a process that is similar to the labs in the Web Security Academy, and the practice exam. However, in order to take the exam you first need to go through our automated identity verification process.

To become a Burp Suite Certified Practitioner, you need to work through the following steps:

1. Purchase your certification exam.

2. Check the system requirements.

3. Configure your device to work with our proctoring software, and upload your ID documents.

4. Take your certification exam.

5. Get your certification results.

You'll need a Burp Suite Professional subscription to take the exam.

To undertake the certification exam, you will need access to an active subscription of Burp Suite Professional. Get a subscription to Burp Suite Professional now, if you don't already have access to a separate license.

What the exam involves

In order to take the exam, you will first need to log in to your PortSwigger user account. You will find a button labeled "Take exam". By clicking this button, you will begin the official exam process. Once you have successfully completed the automated proctoring session, your exam will begin.

You will have four hours to complete the Burp Suite Certified Practitioner exam. There are two applications, and each application contains deliberate vulnerabilities. This means that each application can be completed in three stages:

1. Stage 1: Access any user account.

2. Stage 2: Use your user account to access the admin interface, perhaps by elevating your privileges or compromising the administrator account.

3. Stage 3: Use the admin interface to read the contents of /home/carlos/secret from the server's filesystem, and submit it using "submit solution".

While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.

There is always an administrator account with the username "administrator", plus a lower-privileged account usually called "carlos". If you find a username enumeration vulnerability, you may be able to break into a low-privileged account using the following username list and password list.

Each application has up to one active user, who will be logged in either as a user or an administrator. You can assume that they will visit the homepage of the site every 15 seconds, and click any links in any emails they receive from the application. You can use exploit server's "send to victim" functionality to target them with reflected vulnerabilities.

If you find an SSRF vulnerability, you can use it to read files by accessing an internal-only service, running on localhost on port 6566.

Host header attacks are fair game, but the _lab and _lab_analytics cookies are part of the core exam functionality - please don't waste your time tampering with them.

To understand the skills required to take this exam, please refer to the prepare for the exam page.

Requirements

The following sections outline the requirements for the exam. Please make sure you read these sections thoroughly before purchasing your certification exam.

Proficiency/skill

To pass the certification exam, you are required to demonstrate an in-depth knowledge of a wide range of vulnerability classes, and the Burp Suite functionality required to support you in discovery, understanding, and exploitation.

To get ready for the challenges you'll face in the certification exam, please refer to the how to prepare for the exam page.

Language

All exam materials will be presented in English. If you can comfortably read the learning materials within the Web Security Academy, and all of the exam guidance pages, the exam will not present you with any language-based challenges.