🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GWAPT
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GWAPT GIAC Certifications Coming Soon

GWAPT

The GWAPT certification course teaches web application penetration testing, covering reconnaissance, authentication, injection, business logic, client‑side, and API security, enabling professionals to identify and remediate critical vulnerabilities.

180
Minutes
82
Questions
71/100
Passing Score
$979
Exam Cost

Who Should Take This

Security analysts, penetration testers, and developers with at least two years of experience in information security, who regularly work with HTTP, HTML, and JavaScript, should take this exam. It prepares them to conduct thorough web application assessments, communicate findings effectively to development teams, and align remediation with industry best practices.

What's Covered

1 Web Application Technology and Reconnaissance
2 Authentication and Session Management Testing
3 Injection Attacks
4 Business Logic and Client-Side Testing
5 API Security Testing
6 WAF Bypass and Advanced Techniques
7 Reporting and Remediation

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

67 learning goals
1 Web Application Technology and Reconnaissance
3 topics

Web Technology Fundamentals

  • Describe the HTTP protocol including request methods, status codes, headers, cookies, and content types, and explain how each element affects web application security testing and attack surface identification.
  • Identify the components of a modern web application technology stack including web servers, application frameworks, client-side JavaScript frameworks, databases, caching layers, and CDNs, and describe the security implications of each component.
  • Describe the same-origin policy, Content Security Policy, and Cross-Origin Resource Sharing mechanisms, and explain how each browser security control prevents or permits cross-origin interactions in web applications.
  • Configure Burp Suite Professional as an intercepting proxy with browser certificate installation, scope definition, and project settings optimized for web application penetration testing engagements.

Web Application Reconnaissance

  • Describe web application fingerprinting techniques including HTTP header analysis, error page signatures, URL patterns, and technology-specific markers that reveal the application framework, web server, and backend technologies in use.
  • Implement web application content discovery using directory brute-forcing with Gobuster and ffuf, spidering with Burp Suite, robots.txt and sitemap analysis, and JavaScript file parsing to map the application's attack surface.
  • Configure automated vulnerability scanning using Nikto and Burp Suite Active Scanner with appropriate scan policies to identify common web application vulnerabilities while avoiding service disruption and excessive noise.
  • Analyze web application reconnaissance results to identify high-value testing targets, prioritize input vectors by exploitability potential, and develop a structured testing plan that covers the full application attack surface.

Web Application Architecture Analysis

  • Describe common web application deployment architectures including load-balanced clusters, reverse proxy configurations, WAF placement, and microservices patterns, and identify how each affects testing methodology and tool configuration.
  • Evaluate web application architecture security by analyzing HTTPS configuration, cookie security attributes, security headers, and client-side security controls to identify architectural weaknesses before detailed vulnerability testing.
2 Authentication and Session Management Testing
3 topics

Authentication Testing

  • Describe common authentication mechanisms in web applications including form-based login, HTTP Basic/Digest, OAuth 2.0, OpenID Connect, SAML, and multi-factor authentication, and identify the attack surface of each mechanism.
  • Implement authentication testing including brute force attacks with Burp Intruder, username enumeration through response analysis, default credential testing, and password reset flow manipulation to identify authentication weaknesses.
  • Configure OAuth 2.0 and JWT token testing to identify authorization code interception, token leakage through referrer headers, insecure JWT signing algorithms, and missing audience validation vulnerabilities.
  • Analyze authentication implementation security by evaluating password storage mechanisms, account lockout behavior, credential transport protection, and multi-factor authentication bypass opportunities to assess overall authentication strength.

Session Management Testing

  • Describe session management mechanisms including server-side sessions, JWT tokens, cookie attributes (HttpOnly, Secure, SameSite), and session lifecycle events, and identify the security properties each mechanism should enforce.
  • Implement session management testing including session token entropy analysis, session fixation testing, session hijacking via cookie theft, and testing for proper session invalidation on logout and password change.
  • Evaluate session management implementation by testing concurrent session handling, session timeout enforcement, cross-site request forgery protections, and cookie scope restrictions to identify session-based attack vectors.

Authorization Testing

  • Describe authorization models including role-based access control, attribute-based access control, and object-level authorization, and identify common authorization vulnerabilities such as IDOR, privilege escalation, and forced browsing.
  • Implement authorization testing by manipulating user identifiers in requests, swapping JWT tokens between accounts, accessing API endpoints without required roles, and testing horizontal and vertical privilege escalation paths.
  • Configure Burp Suite Authorize extension or manual testing workflows to systematically test every application endpoint for insecure direct object reference and broken access control vulnerabilities across multiple user roles.
  • Assess the completeness and consistency of an application's authorization model by mapping all protected resources, testing access controls at every enforcement point, and identifying authorization bypass paths that circumvent intended restrictions.
3 Injection Attacks
4 topics

SQL Injection

  • Describe SQL injection vulnerability types including in-band (UNION-based, error-based), blind (boolean-based, time-based), and out-of-band techniques, and explain the database-specific syntax variations for MySQL, MSSQL, PostgreSQL, and Oracle.
  • Implement manual SQL injection testing using Burp Suite Repeater to craft injection payloads, enumerate database structures through UNION SELECT queries, and extract data from multiple tables using error-based and boolean-based blind techniques.
  • Configure SQLMap for automated SQL injection exploitation including database enumeration, data extraction, file system access, and operating system command execution with appropriate tamper scripts for WAF bypass.
  • Implement second-order SQL injection testing where injected payloads are stored in the database and triggered by subsequent application operations, identifying vulnerabilities that automated scanners frequently miss.
  • Evaluate SQL injection risk by assessing database privilege levels accessible through the vulnerability, data sensitivity of extractable information, and potential for escalation to operating system access or lateral movement.

Cross-Site Scripting

  • Describe cross-site scripting vulnerability types including reflected XSS, stored XSS, and DOM-based XSS, and explain how each type exploits different injection and execution contexts within the browser rendering pipeline.
  • Implement XSS payload development for different output contexts including HTML body, HTML attributes, JavaScript strings, URL parameters, and CSS values, crafting context-appropriate payloads that bypass common sanitization filters.
  • Configure DOM-based XSS testing by identifying JavaScript sources and sinks in client-side code, tracing data flow from user-controlled inputs to dangerous DOM manipulation functions, and crafting payloads that execute through client-side code paths.
  • Analyze XSS impact potential by evaluating cookie accessibility, Content Security Policy restrictions, same-origin policy implications, and demonstrating realistic attack scenarios including session hijacking and keylogging.

Server-Side Injection Attacks

  • Describe server-side request forgery attack mechanics including internal service access, cloud metadata endpoint exploitation, and protocol smuggling, and identify the application patterns that create SSRF vulnerabilities.
  • Implement SSRF exploitation to access internal services, retrieve cloud instance metadata credentials, scan internal network ports, and bypass IP-based access controls through the vulnerable application's server-side request capabilities.
  • Describe XML external entity injection mechanisms including file disclosure through external entity definitions, out-of-band data exfiltration through parameter entities, and denial of service through entity expansion attacks.
  • Implement XXE exploitation against XML-accepting endpoints to extract server-side files, perform SSRF through external entity URLs, and test for blind XXE using out-of-band interaction techniques with collaborator services.
  • Implement server-side template injection testing by identifying template engine syntax through polyglot payloads, determining the template engine in use, and escalating from template syntax injection to remote code execution.
  • Assess the overall injection attack surface of a web application by cataloging all input vectors, testing each for multiple injection types, and evaluating the effectiveness of input validation and output encoding controls across the application.

Command Injection and Deserialization

  • Describe OS command injection attack vectors including shell metacharacter injection, blind command injection with time delays and out-of-band channels, and the application patterns that expose command injection vulnerabilities.
  • Implement command injection testing using shell metacharacters and command chaining operators to execute arbitrary commands, and use out-of-band techniques with DNS and HTTP callbacks to confirm blind command injection vulnerabilities.
  • Describe insecure deserialization vulnerabilities including Java, PHP, Python, and .NET deserialization gadget chains, and identify the conditions and entry points where deserialization attacks can achieve remote code execution.
  • Evaluate command injection and deserialization finding severity by determining the execution context, accessible file system and network resources, and potential for full server compromise and lateral movement to connected systems.
4 Business Logic and Client-Side Testing
3 topics

Business Logic Testing

  • Describe business logic vulnerability categories including workflow bypass, insufficient process validation, race conditions, and trust boundary violations that cannot be detected by automated scanning tools.
  • Implement business logic testing by manipulating multi-step workflows, skipping process steps through direct URL access, modifying hidden form fields and client-side price values, and testing negative quantity and boundary condition inputs.
  • Configure race condition testing using Burp Suite Turbo Intruder or parallel request techniques to exploit time-of-check to time-of-use vulnerabilities in coupon redemption, account balance, and voting application logic.
  • Analyze application business logic to identify process integrity assumptions, map trust boundaries between client and server validation, and determine where insufficient server-side enforcement permits business rule circumvention.

Client-Side Security Testing

  • Describe client-side attack vectors including cross-site request forgery, clickjacking, open redirect exploitation, and WebSocket hijacking, and explain the browser security mechanisms that mitigate each attack type.
  • Implement CSRF testing by crafting cross-origin request payloads, evaluating SameSite cookie effectiveness, testing anti-CSRF token implementation, and demonstrating state-changing actions executable from attacker-controlled pages.
  • Configure clickjacking proof-of-concept frames to demonstrate UI redressing attacks, test X-Frame-Options and frame-ancestors CSP directive enforcement, and assess the risk of sensitive operations accessible through framed application pages.
  • Evaluate the effectiveness of client-side security controls by testing Content Security Policy bypass techniques, analyzing CORS misconfigurations for cross-origin data theft, and assessing postMessage handler validation for cross-origin messaging attacks.

File Upload and Inclusion Testing

  • Describe file upload vulnerability categories including unrestricted file type upload, path traversal in filenames, content-type validation bypass, and server-side file inclusion vulnerabilities that enable remote code execution.
  • Implement file upload bypass techniques including extension manipulation, content-type header spoofing, magic byte injection, and polyglot file creation to upload executable content past server-side validation controls.
  • Assess file upload functionality security by testing all validation layers, evaluating storage location accessibility, and determining whether uploaded files can be executed or included in server-side processing to achieve code execution.
5 API Security Testing
2 topics

REST API Testing

  • Describe REST API security considerations including authentication token handling, rate limiting, input validation, error handling information disclosure, and the OWASP API Security Top 10 vulnerability categories.
  • Implement REST API endpoint discovery through Swagger/OpenAPI documentation analysis, JavaScript source code review, and parameter brute-forcing to identify undocumented endpoints and hidden API functionality.
  • Configure API security testing for broken object-level authorization by manipulating resource identifiers across authenticated sessions, testing mass assignment vulnerabilities, and exploiting excessive data exposure in API responses.
  • Evaluate API security posture by assessing authentication and authorization enforcement consistency across all endpoints, testing rate limiting effectiveness, and identifying information disclosure through verbose error messages and response data.

GraphQL and WebSocket Testing

  • Describe GraphQL security considerations including introspection query abuse, query depth and complexity attacks, batch query vulnerabilities, and authorization bypass through nested query resolution.
  • Implement GraphQL security testing by executing introspection queries to map the schema, crafting deeply nested queries for denial of service, and testing field-level authorization by querying restricted fields through alternative query paths.
  • Assess GraphQL and WebSocket implementation security by evaluating query complexity limits, subscription authorization controls, and message validation to identify denial of service risks and unauthorized data access paths.
6 WAF Bypass and Advanced Techniques
1 topic

Web Application Firewall Evasion

  • Describe web application firewall detection and evasion techniques including encoding manipulation, case variation, comment injection, HTTP parameter pollution, and chunked transfer encoding that bypass WAF pattern matching rules.
  • Implement WAF bypass techniques for SQL injection by using alternative encodings, keyword fragmentation, inline comments, and database-specific syntax alternatives that evade signature-based WAF detection rules.
  • Configure XSS payloads that bypass WAF and Content Security Policy protections using event handler variations, JavaScript protocol URLs, SVG/MathML elements, and mutation XSS techniques targeting browser parsing differences.
  • Evaluate WAF effectiveness by systematically testing bypass techniques for each vulnerability class, assessing false negative rates for common attack patterns, and determining whether the WAF provides meaningful security value or only defense in depth.
7 Reporting and Remediation
2 topics

Web Application Penetration Test Reporting

  • Describe the components of a web application penetration test report including executive summary, risk ratings, finding details with HTTP request/response evidence, impact analysis, and remediation guidance tailored for development teams.
  • Implement web application finding documentation with reproducible proof-of-concept HTTP requests, annotated screenshots, attack chain narratives, and CWE-mapped vulnerability classifications for consistent reporting.
  • Evaluate web application vulnerability severity using CVSS scoring, attack complexity assessment, authentication requirements, and data sensitivity classification to provide accurate risk ratings that guide development team remediation priorities.

Remediation Guidance

  • Implement remediation recommendations that provide specific code-level fixes including parameterized queries for SQL injection, context-aware output encoding for XSS, and SSRF mitigation through allowlist URL validation.
  • Assess the overall web application security posture by correlating individual vulnerability findings into systemic patterns, identifying root causes in development practices, and recommending secure development lifecycle improvements.

Scope

Included Topics

  • All domains covered by the GIAC Web Application Penetration Tester (GWAPT) certification aligned with SANS SEC542: Web Application Technology Stack, Authentication and Session Management Testing, Injection Attacks, Business Logic Testing, Web Application Reconnaissance, API Testing, and Reporting and Remediation.
  • Intermediate-level web application penetration testing methodology including HTTP protocol analysis, web application fingerprinting, authentication bypass, session hijacking, SQL injection, cross-site scripting, server-side request forgery, XML external entity injection, insecure deserialization, API security testing, and professional web application penetration test reporting.
  • Key tools and frameworks: Burp Suite Professional, OWASP ZAP, SQLMap, Nikto, Wfuzz, Gobuster, ffuf, Postman, browser developer tools, OWASP Testing Guide, OWASP Top 10, CWE/SANS Top 25, and web application firewall bypass techniques.
  • Scenario-driven web application security decisions requiring balancing testing thoroughness, application availability, data protection during testing, and accurate risk assessment for web-based vulnerabilities.

Not Covered

  • Network-level penetration testing including port scanning, network exploitation, and lateral movement (covered by GPEN) except as context for web application attack chains.
  • Mobile application binary analysis and platform-specific mobile security testing beyond mobile web application and API testing.
  • Advanced binary exploitation, reverse engineering, and custom exploit development for web server software.
  • Cloud infrastructure security assessment beyond web application hosting configurations that directly impact application security.
  • Detailed secure software development lifecycle practices and code review techniques beyond understanding vulnerabilities from a testing perspective.

Official Exam Page

Learn more at GIAC Certifications

Visit

GWAPT is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.