eLearnSecurity Mobile Application Penetration Tester (eMAPT) and the respective INE courses

Course: Android & Mobile App Pentesting****

This is the course to prepare for the eMAPT certificate exam. It will teach you the basics of Android as OS, how the applications works, the most sensitive components of the Android applications, and how to configure and use the main tools to test the applications. The goal is to prepare you to be able to pentest Android applications in the real life.

I found the course to be a great one for people that don't have any experience pentesting Android applications. However, if you are someone with experience in the topic and you have access to the course I also recommend you to take a look to it. That was my case when I did this course and even having a few years of experience pentesting Android applications this course taught me some Android basics I didn't know and some new tricks.

Finally, note two more things about this course: It has great labs to practice what you learn, however, it doesn't explain every possible vulnerability you can find in an Android application. Anyway, that's not an issue as it teach you the basics to be able to understand other Android vulnerabilities. Besides, once you have completed the course (or before) you can go to the Hacktricks Android Applications pentesting section and learn more tricks.

Course: iOS & Mobile App Pentesting****

When I performed this course I didn't have much experience with iOS applications, and I found this course to be a great resource to get me started quickly in the topic, so if you have the chance to perform the course don't miss the opportunity. As the previous course, this course will teach you the basics of iOS, how the iOS applications works, the most sensitive components of the applications, and how to configure and use the main tools to test the applications. However, there is a very important difference with the Android course, if you want to follow the labs, I would recommend you to get a jailbroken iOS or pay for some good iOS emulator.

As in the previous course, this course has some very useful labs to practice what you learn, but it doesn't explain every possible vulnerability of iOS applications. However, that's not an issue as it teach you the basics to be able to understand other iOS vulnerabilities. Besides, once you have completed the course (or before) you can go to the Hacktricks iOS Applications pentesting section and learn more tricks.

eMAPT

The eLearnSecurity Mobile Application Penetration Tester (eMAPT) certification is issued to cyber security experts that display advanced mobile application security knowledge through a scenario-based exam.

The goal of this certificate is to show that you are capable of performing common mobile applications pentests.

During the exam you are given 2 vulnerable Android applications and you need to create an Android application that exploits the vulnerabilities automatically. In order to pass the exam, you need to send the exploit application (the apk and the code) and it must exploit the other apps vulnerabilities.

Having done the INE course about Android applications pentesting is more than enough to find the vulnerabilities of the applications. What I found to be more "complicated" of the exam was to write an Android application that exploits vulnerabilities. However, having some experience as Java developer and looking for tutorials on the Internet about what I wanted to do I was able to complete the exam in just some hours. They give you 7 days to complete the exam, so if you find the vulnerabilities you will have plenty of time to develop the exploit app.

In this exam I missed the opportunity to exploit more vulnerabilities, however, I lost a bit the "fear" to write Android applications to exploit a vulnerability. So it felt just like another part of the course to complete your knowledge in Android applications pentesting.

eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) and the INE course related

Course: Web Application Penetration Testing eXtreme****

This course is the one meant to prepare you for the eWPTXv2 certificate exam. Even having been working as web pentester for several years before doing the course, it taught me several neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections. Moreover, the course contains pretty nice labs where you can practice what you learn, and that is always helpful to fully understand the vulnerabilities.

I think this course isn't for web hacking beginners (there are other INE courses for that like Web Application Penetration Testing). However, **if you aren't a beginner, independently on the hacking web "level" you think you have, I definitely recommend you to take a look to the course because I'm sure you will learn new things** like I did.

eWPTXv2

The eLearnSecurity Web Application Penetration Tester eXtreme (eWAPTX) is our most advanced web application pentesting certification. The eWPTX exam requires students to perform an expert-level penetration test that is then assessed by INE’s cyber security instructors. Students are expected to provide a complete report of their findings as they would in the corporate sector in order to pass.

The exam was composed of a few web applications full of vulnerabilities. In order to pass the exam you will need to compromise a few machines abusing web vulnerabilities. However, note that that's not enough to pass the exam, you need to send a professional pentest report detailing all the vulnerabilities discovered, how to exploit them and how to remediate them. I reported more than 10 unique vulnerabilities (most of them high/critical and presented in different places of the webs), including the read of the flag and several ways to gain RCE and I passed.

All the vulnerabilities I reported could be found explained in the Web Application Penetration Testing eXtreme course. However, order to pass this exam I think that you don't only need to know about web vulnerabilities, but you need to be experienced exploiting them. So, if you are doing the course, at least practice with the labs and potentially play with other platform where you can improve your skills exploiting web vulnerabilities.