CSTL-Web App Exam
All our exams currently take place at our assessment centres in Cheltenham:
The Cyber Scheme, Eagle Tower, Montpellier Drive, Cheltenham GL50 1TA
Please organise your own accommodation if needed.
There is no on-site parking for candidates. Bath Terrace Car Park (SatNav GL50 2BA) offers reasonable all day parking within a few minutes’ walk. We are able to organise blue badge accessible parking for those who need it – please email us to book.
Our exam rooms are all accessible via lift. Please let us know if you have any accessibility issues.
Exams begin at 9.00am, please check in at Eagle Tower reception at 8.45am. Our invigilator will accompany you to the exam room. Exams are normally completed by 5pm.
You should bring a recognised photo-id (e.g. Passport or Driving Licence) and have this available throughout the test.
Under normal circumstances, you will be notified of success or failure by email within one working week by The Cyber Scheme.
A laptop (with power supply, HDMI output, RJ45 network interface card, wireless network interface card and administrator rights to add software.)
Hard drives will be erased (or retained) so please be prepared to remove them from your laptop at the end of the session. All drives that are installed in the laptop at the time of the test will need to be wiped.
Refreshments and lunch break
Water is available in the exam room. Please note you will only have a 30 minute lunch break, so we advise you bring your own food with you to save time – however there is a café onsite if you wish to purchase lunch, tea or coffee.
You will be asked to put phones / tech on silent and away during exams, you will not be contactable via teams, slack etc during the assessment.
The assessment will be open book. You may bring personal copies of textbooks and similar local resources into the assessment environment. You are not allowed to share permitted materials with other candidates. You are advised not to annotate permitted materials during the assessment.
Any annotations that are made will be subject to the persistent storage constraint below.
Resources to be provided by the Candidate
You must supply your own laptop, equipped with the penetration test tools of your choice.
The laptop must have an RJ45 / Ethernet socket that will be used to connect to the test environment. The laptop screen must be mirrored to an external monitor for the duration of the practical engagement with the test environment. The test centre will provide a 1920*1080 monitor with HDMI connection. If your laptop does not support that, please ensure you bring an appropriate adaptor with you as we will not be able to supply one.
Access to the Internet is not permitted from your laptop. Supervised access to the Internet will be permitted from a machine provided by assessment centre.
All persistent storage (internal drives, external drives, USB flash storage, written notes etc.) must be wiped at the end of the test. An attempt will be made to forensically wipe digital storage (Your laptop drive may need to be removed for this to happen). Where disk wiping can be verified as successful, the storage device will be returned to you on the day of the assessment. If the drive cannot be wiped it will be retained and returned at a later date (via post). Paper storage, and digital storage where forensic wiping cannot be verified, will not be returned and eventually destroyed. You are strongly advised to use low-cost storage devices for the exams as some can be challenging (and time consuming) to erase to the required standard.
There are some aspects of the assessment (viva) that will take the form of spoken questions with spoken answers. These will be audio recorded. The recordings will be retained for up to 24 months to ensure consistency across Assessors and candidates. You must be willing to be audio-recorded answering questions concerning the test.
After the practical test has been completed, candidates may be asked about the effects that any of their actions might have had. Such questions may relate to web servers, databases, client data, and times. Candidates should be prepared to record the process of carrying out their penetration test.
The practical part of the assessment will be performed within an environment that is predominantly virtualised. Candidates must not attempt to exploit the virtualisation infrastructure.
The assessment is structured to simulate a real-world penetration test. It comprises three phases.
Phase 1 – Scoping (15 minutes)
All candidates will share a common scoping briefing. Following the common scoping briefing, individually candidates will have up to 10 minutes to ask questions concerning the scope of the penetration test. During your individual scoping session, the Assessor will play the role of the commissioning client. Your performance during the individual scoping session will form part of the assessment.
Phase 2 – Practical Penetration Test (4 hours)
The candidate’s laptop will be connected to the assessment infrastructure, from which you will perform the practical penetration test, as defined in the scoping session. Connectivity will end after 4 hours. During the final 30 minutes candidates will be advised to prepare for the interviews which follow, specifically in producing a site map.
(Break – 15 minutes)
There will be a 15 minute lunch break during the practical penetration test. During this time candidates will not be permitted to use their computers. This 15 minute break will not contribute towards the 4 hours of the practical assessment. You may take additional breaks for refreshments within the practical test, but no additional time will be allowed for any additional breaks that are taken.
Phase 3 – Interview (30 minutes)
During the interview you will be required to produce a site map on a white board or flip chart. The site map must detail the application’s pages and API functionality, but it does not need to include static assets, such as media or script. The interview is an assessed component of the examination; care should be taken to ensure that the site map reflects your full understanding of the assessment application.
You will also be expected to inform the commissioning client (Assessor) of the significant aspects of your practical penetration test. The Assessor may ask you to explain any aspect of the process that you followed during the practical test.
You will also be expected to inform the commissioning client (Assessor) of the significant aspects of your practical penetration test. The Assessor will ask you to explain any aspect of the process that you followed during the practical test.
In order to pass the test, you must demonstrate all of the following:
- appropriate interaction with the commissioning client,
- knowledge of the process of conducting a penetration test including legal and ethical issues,
- core capability to identify and exploit OWASP top 10 vulnerabilities, especially with regard to: injection vulnerabilities e.g. SQL injection, cross-site scripting (XSS) vulnerabilities, privilege escalation vulnerabilities, information disclosure vulnerabilities,
- core capability to produce an accurate site map.
Inclusion and Accessibility during exams and training
The Cyber Scheme believe everyone should have access to a career in security testing. We are available to discuss any concerns you have and are more than happy to make reasonable adjustments for any candidate who requires them during training and examinations.
These reasonable adjustments are to ensure you are given an equal opportunity to demonstrate the necessary knowledge, skills and behaviours required. We recognise that not all disabilities are visible.
We have a range of reasonable adjustments we can offer depending on what difficulty you might face. If you request an adjustment which we are unable to offer, we will give you a reason why we cannot offer it. This might be because it maps to a key Knowledge, Skill or Behaviour that we have to assess against within the certification. If that is the case, we will tell you which aspect we think would not be properly assessed.
There may be background noise during an assessment. Please bring (or ask for) ear plugs / ear defenders or listen to music if background noise is likely to affect your concentration (please note this doesn’t apply to our training courses).
Access to all of our facilities is suitable for people with mobility issues. Should any other special facilities be required please get in touch at time of booking. For some reasonable adjustments, such as access to a disabled parking space, we will need to see supporting documentation around the condition to allow us to apply for this access for you. No information will be retained or stored once the request is validated.