CREST Tester Application Exam Syllabus

Tester Application PDF, CCT APP Dumps, CCT APP PDF, Tester Application VCE, CCT APP Questions PDF, CREST CCT APP VCE, CREST Tester Application Dumps, CREST Tester Application PDFUse this quick start guide to collect all the information about CREST Tester Application (CCT APP) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the CCT APP CREST Tester Application exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual CREST Tester Application certification exam.

The CREST Tester Application certification is mainly targeted to those candidates who want to build their career in Penetration Testing domain. The CREST Certified Tester - Application (CCT APP) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of CREST Tester Application.

CREST Tester Application Exam Summary:

Exam Name CREST Certified Tester - Application (CCT APP)
Exam Code CCT APP
Exam Price $400 (USD)
Duration 60 mins
Number of Questions 60
Passing Score 66%
Books / Training CREST Training Providers
Schedule Exam Pearson VUE
Sample Questions CREST Tester Application Sample Questions
Practice Exam CREST CCT APP Certification Practice Exam

CREST CCT APP Exam Syllabus Topics:

Topic Details

Soft Skills and Assessment Management (PT001)
Engagement Lifecycle - Understanding of the penetration testing life-cycle, from the initial client contact, to the delivery of the final report and subsequent consultancy work.
- Understands the structure of a penetration test, including all relevant processes and procedures.
- Understands penetration testing methodologies and follows these when required. These include methodologies defined by the tester's employer, together with recognised standards, such as OWASP.
- Understands the concepts of different types of penetration test, such as infrastructure and application, white and black-box, intelligence led and red team.
- Can explain the benefits a penetration test will bring to a client.
- Can accurately convey the results of the penetration testing in a verbal debrief and written report.
Law and Compliance - Awareness of the legal complexities of dealing with multinational organisations. 
- Awareness of requirements for interaction with law enforcement where appropriate. 
- Understanding of the importance of client confidentiality and non-disclosure agreements.
Law and Compliance (Regional) - Knowledge of relevant legislation affecting penetration testing in the candidate’s operating jurisdiction(s). Such legislation might include:
  • Legislation concerning computer misuse
  • Legislation concerning individual's personal data
  • Legislation affecting penetration testing with or on behalf of a specific sector

- Can provide examples of compliance and non-compliance.
- Knowledge of written authority required to comply with local laws.
Scoping - Understands client requirements and can produce an accurate and adequately resourced penetration testing scope.
- Understands technical, logistical, financial and other constraints, and is able to take these into account without compromising the effectiveness of the penetration test.
Managing Risk - Understands the risks associated with a penetration test, the usual outcomes of such risks materialising and how to mitigate the risks.
- Understands the importance of availability and how the risk of a denial of service can be reduced.
- Understands the ethical issues and associated risks related to penetration testing.
Client Communications - Defining daily checkpoints, escalation paths and emergency contacts as appropriate.
- Defining regular updates for stakeholders.
- Understanding of secure email communications such as S/MIME and PGP.
- Understanding of secure out-of-band communication channels.
Record Keeping - Understands the record keeping requirements mandated by internal and external standards.
- Understands the importance of accurate and structured record keeping during the engagement, including the output of tools.
- Understands the security requirements associated with record keeping, both during the penetration test and following the delivery of the final report.
- Can create records such that a report can be written based on the data recorded.
Reporting (Basic) - Understands the reporting requirements mandated by the client, internal and external standards.
- Ability to classify findings using distinct risk levels (e.g. HIGH, MEDIUM, LOW, etc.)
- Understands risk in relation to the confidentiality, integrity, and availability of a system and its data.
- Can interpret and understand versions 2 and 3.x of the Common Vulnerability Scoring System (CVSS)
Reporting - Ability to report attack chains made up of multiple vulnerabilities.
- Ability to convey both a summary of a penetration test to technical and nontechnical audiences.
- For any given issue or group of issues, ability to convey:
  • A risk classification
  • A list of affected components
  • A detailed description of the problem
  • A description of the risk posed in terms of Confidentiality, Integrity and Availability of the system and its data.
  • The potential impact to the customer’s information systems and data preferably in terms of confidentiality, integrity and availability.
  • The cause of the issue (e.g. misconfiguration, human error, software vulnerability)
  • Which type of attacker would most likely exploit the issue (e.g. authorised internal user, external Internet connected anonymous user, attacker with physical access etc.)
  • The difficulty and likelihood of a successful exploit
  • Possible sources of further information
  • Detailed recommendations for remediation
Report QA - Understands security reporting QA and review, able to understand and comment on reporting written by others
- Can utilise prior work to influence and continue testing and test plans
Platform Preparation - Ability to prepare the required hardware and software for a penetration test.
- Ensures all necessary hardware is available, including laptops, switches, media-converters, wireless devices and cabling.
- Ensures all operating system and testing tools are relevant and up-to-date.
- Takes steps to avoid data crosscontamination, e.g. by sanitising a hard disk prior to deployment or taking an image from a master build.
- Ensures all commercial software is suitably licensed.
- Ensures sufficient Anti-Virus software is installed and is sufficiently up-to-date.

Core Technical Skills (PT002)
Using Tools and Interpreting Output - Can use a variety of tools during a penetration test, selecting the most appropriate tool to meet a particular requirement.
- Can interpret and understand the output of tools, including those used for port scanning, vulnerability scanning, enumeration, exploitation and traffic capture.
Pivoting - Understand the concept of pivoting through compromised systems and applications.
- Can demonstrate pivoting through multiple hops to gain access to targets on different networks
Cryptography - Understands symmetric and asymmetric cryptography, common protocols and their security attributes
- Understands encryption implementations within software applications, such as SSH, TLS and PGP and in networks such as IPSec and WiFi.
- Understands common cryptographic algorithms, hash functions, signing and message authentication.
- Understands PKI and the concepts of certificates, certificate authorities and trusted third parties.
Hardware Security - Understands the concepts behind common microprocessor vulnerabilities such as Spectre and Meltdown
- Understands the concepts behind sidechannel attacks such as timing analysis and power analysis
- Understands how side-channel attacks can aid cryptanalysis and otherwise expose sensitive data
- Understands common risks associated with Bluetooth, including:
  • Bluesnarfing
  • Bluejacking
  • Bluebugging
OS Fingerprinting - Understands active and passive operating system fingerprinting techniques and can demonstrate their use during a penetration test.

Internet Information Gathering and Reconnaissance (PT003)
Domain Registration - Understands the format of a WHOIS record and can obtain such a record to derive information about an IP address and/or domain.
DNS - Understands the Domain Name Service (DNS) including queries and responses, zone transfers, and the structure and purpose of records. Can query DNS servers or use passive DNS data to gather information on target systems.
- Can identify and exploit misconfigured DNS entries and associated vulnerabilities.
Web Site Analysis - Can analyse information from a target web site, from all sources such as displayed content, HTML, JavaScript, headers and connection metadata.
Search Engines - Effective use of search engines and other public data sources to gain information about a target.
- Knowledge and experience using specialist ‘service’ search engines such as internet scanners and webcrawlers.
News Groups and Mailing Lists - Can use news groups, mailing lists and other services to obtain information about a target network
- Can analyse email headers to identify system information.
Information Leakage - Can obtain information about a target network, such as an internal network IP addresses, from information leaked in email headers, HTML meta tags and other locations.
Social Media - Knowledge of information that can retrieved from social media sites.
- Knowledge and experience of information harvesting techniques, and an understanding of the legal implications of scraping social media sites.
Document Metadata - Extraction of potentially sensitive data (e.g. usernames, computer names, operating system, software products) from various document formats, including:
  • PDF
  • Microsoft Office documents
  • Common picture formats (e.g. JPEG, PNG, GIF etc.)

Networks (PT004)
Network Connections - Can use common network connections that could be required during a penetration test:
  • Ethernet
  • Wi-Fi
  • Ethernet VLANs
Ethernet Protocol - Basic understanding of how the Ethernet Protocol works.
- Can spoof MAC addresses to bypass security restrictions and facilitate man in the middle attacks.
VLAN Tagging - Understands VLAN tagging (IEEE 802.1Q).
- Understands the security implications of VLAN tagging.
- Can connect a specific VLAN given the VLAN ID from both Linux and Windows systems.
- Can identify and analyse VLAN tagged traffic on a network.
IPv4 - Basic understanding of how the IPv4 protocol works.
- Ability to configure interfaces with IP addresses both statically and using DHCP.
- Can perform host discovery using ARP and ICMP.
- Ability to understand and configure IP routing.
- Ability to perform standard penetration testing activities including network mapping, port scanning, and service exploitation.
- Awareness of common protocols that use IPv4 e.g. ICMP, IGMP, TCP, UDP.
- Awareness of IPsec.
IPv6 - Basic understanding of how the IPv6 protocol works.
- Ability to configure interfaces with IP addresses both statically, with DHCPv6 and with SLAAC.
- Ability to perform host discovery using the Neighbor Discovery Protocol and well known multicast addresses.
- Ability to understand and configure IP routing manually or with Router Advertisements.
- Ability to perform standard penetration testing activities including network mapping, port scanning, and service exploitation.
- Awareness of common protocols that use IPv6 e.g. ICMPv6, TCP, UDP.
- Awareness of IPsec.
IPv4 and IPv6 Packet Manipulation - Understands components of IP packets.
- Can arbitrarily modify IP packet parameters, including source and destination IP addresses and TTL values, to bypass security controls and perform man in the middle attacks.
- Can identify parameters of various packet types, including TCP, UDP, ICMP and ARP.
- Understands and can perform ARP spoofing safely and reliably to bypass security controls and facilitate man in the middle attacks.
- Understands packet fragmentation.
Network Architecture - Can interpret logical network diagrams. Understands the security benefits of tiered architectures, DMZs and air gaps.
- Understands the security implications of shared media, switched networks and VLANS.
- Understands the core principles, concepts and security of a Software Defined Network (SDN).
Network Mapping - Can demonstrate the mapping of a network using a range of tools and by querying active services.
- Can accurately identify all hosts on a target network that meet a defined set of criteria, e.g. to identify all FTP servers or Cisco routers.
Network Devices - Analysing the configuration of the following types of network equipment:
  • Routers
  • Switches
  • Firewalls
Network Filtering - Understands network traffic filtering and where this may occur in a network.
- Understands the devices and technology that implement traffic filtering, such as firewalls, proxies and next-generation firewalls (NGFW), and can advise on their configuration.
- Can demonstrate methods by which traffic filters can be bypassed.
Traffic Analysis - Can intercept and monitor network traffic, capturing it to disk in a format required by analysis tools.
- Understands and can demonstrate network traffic analysis to recover information on targets such as credentials and vulnerabilities present.
TCP - Understands how TCP works and its relationship with IP protocols and higher level protocols.
- Understands different TCP connection states.
- Understands and can demonstrate active techniques for discovery of TCP services on a network.
UDP - Understands how UDP works and its relationship with IP protocols and higher level protocols.
- Understands different UDP connection states.
- Understands and can demonstrate active techniques for discovery of UDP services on a network.
Network Access Controls - Understands network access control systems, such as 802.1x and MAC address filtering, and can demonstrate how these technologies can be bypassed.
Wifi - Enumeration and fingerprinting of devices running Wireless (802.11) services.
- Knowledge of encryption and authentication options, and the relative methods of each.
- Understands how wifi networks can be attacked.
Service Identification - Can identify the network services offered by a host by banner inspection.
- Can state the purpose of an identified network service and determine its type and version.
- Understands the methods associated with unknown service identification, enumeration and validation.
- Evaluation of unknown services and protocols.
Host Discovery - Can identify targets on common networks using active and passive fingerprinting techniques and can demonstrate their use.
Network Intrusion Protection - Understands concepts and the role of network intustion protections including:
  • IDS/IPS
  • Honeypots
  • Data Loss Prevention

- Awareness of how network intrusion protections sytems may impact security testing
- Awareness of evasion techniques

Network Services (PT005)
Unencrypted Services - Understands how unencrypted services can be exploited.
- Can identify unencrypted services on the network and capture sensitive data.
- Is aware of common unencrypted services including:
  • Telnet
  • FTP
  • SNMP
  • HTTP
TLS / SSL - Understands the use of TLS and SSL in protecting data in transit.
- Is aware of SSL and TLS protocols and their common weaknesses.
- Understands the components of cipher suites and their roles.
- Understands the role of certificates in SSL and TLS.
- Can identify insecure configurations.
Network Configuration Protocols - Understands and can demonstrate the use of the following network configuration protocols:
  • DHCP
  • DHCPv6
  • SLAAC

- Understands the security attributes of the above protocols and technologies.
- Can demonstrate how these services can be exploited to gain access to a device or derive further information about the target network.
Name Resolution Services - Understands and can demonstrate the use of the following name resolution services:
  • DNS
  • DNS over HTTPS (DoH)
  • Domain Name System Security Extensions (DNSSEC)
  • NetBIOS / WINS
  • WINS
  • LLMNR
  • mDNS

- Understands the security attributes of the above protocols and technologies.
- Can demonstrate how these services can be exploited to gain access to a device or derive further information about the target network.
- Understands the Domain Name Service (DNS) including queries and responses, zone transfers, and the structure and purpose of DNS records.
Network Authentication - Understands and can demonstrate the use of the following network authentication protocols:
  • TACACS+
  • RADIUS
  • LDAP
  • Kerberos

- Understands the security attributes of the above protocols and technologies.
- Can demonstrate how these services can be exploited to gain access to a device or derive further information about the target network.
Management Services - Understands and can demonstrate the use of the following network management services:
  • Telnet
  • SSH
  • HTTP
  • Remote Powershell
  • WMI
  • WinRM
  • RDP
  • VNC

- Understands the security attributes of the above protocols and technologies.
- Can demonstrate how these services can be exploited to gain access to a device or derive further information about the target network.
Desktop Access - Is aware of common protocols used to provide remote access to desktop services including:
  • RDP
  • VNC
  • XDMCP
  • X

- Understands the security attributes of the above protocols and technologies.
- Can demonstrate how these services can be exploited to gain access to a device or derive further information about the target network.
IPsec - Enumeration and fingerprinting of devices running IPsec services.
FTP - Understands FTP and can demonstrate how a poorly configured FTP server can be exploited, e.g. the downloading of arbitrary files, the uploading and overwriting of files, and the modification of file system permissions.
- Understands the security implications of anonymous FTP access 
- Understands FTP access control.
TFTP - Understands TFTP and can demonstrate how a poorly configured TFTP server can be exploited, including Cisco devices.
SNMP - Understands the difference between versions 1, 2c, and 3.
- Can enumerate information from targets including:
  • users
  • processes
  • network configuration

- Understands the MIB structure pertaining to the identification of security vulnerabilities.
- Understands the security attributes of SNMP.
- Can demonstrate how these services can be exploited to gain access to a device or derive further information about the target network.
- Understands how to extract and replace configuration files of Cisco devices.
SSH - Understands SSH and its associated security attributes, including the different versions of the protocol, version fingerprinting and how the service can be used to provide a number of remote access services.
- Can demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of -- /.ssh/authorized_keys files.
- Understands authentication mechanisms used by SSH.
NFS - Understands NFS and its associated security attributes and can demonstrate how exports can be identified.
- Can demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the creation of SUIDroot files, the modification of files and file system permissions, and UID/GID manipulation.
- Understands the concepts of root squashing, nosuid and noexec options
- Understands how NFS exports can be restricted at both a host and file level
SMB - Is aware of common SMB implementations including:
  • Windows File Shares
  • Samba

- Can identify and analyse accessible SMB shares.
LDAP - Is aware of common LDAP implementations including:
  • Windows Active Directory
  • OpenLDAP

- Can enumerate LDAP directories and extract arbitrary data including:

  • usernames and groups
  • target system names
Berkeley R* Services - Understands the Berkeley r-services and their associated security attributes and can demonstrate how trust relationships can:
  • lead to the compromise of a server
  • allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of .rhosts and/or /etc/hosts.equiv files.

- Can perform user enumeration using the rwho and rusers services.
X - Understands X and its associated security attributes, and can demonstrate how insecure sessions can be exploited, e.g.. by obtaining screen shots, capturing keystrokes and injecting commands into open terminals.
- Understands X authentication mechanisms.
- Understands the difference between host based and user based access control.
Finger - Understands how finger daemon derives the information that it returns, and hence how it can be abused.
- Enumeration of usernames.
RPC Services - Can perform RPC service enumeration.
- Is aware of common RPC services.
- Is aware of and can exploit recent or commonly-found RPC service vulnerabilities.
NTP - Understands the function of NTP and the importance of it for logging and authentication.
- Can extract information about the target network from NTP services.
IPMI - Understands and can demonstrate use of IPMI for the remote management of devices, such as HP ILO and Dell DRAC.
- Understands the security attributes of IPMI.
- Can exploit common vulnerabilities to gain access to a device.
VoIP - Enumeration and fingerprinting of devices running VoIP services.
- Knowledge of the SIP protocol.
SMTP and Mail Servers - Understands and can demonstrate valid username discovery via EXPN and VRFY.
- Awareness of recent vulnerabilities in mail server applications (e.g. Postfix and Exchange) and the ability to exploit them if possible
- Understands mail relaying.
Vulnerable Services - Can identify and remotely exploit services with recent or well known public vulnerabilities.

Microsoft Windows Security Assessment (PT006)
Windows Reconnaissance - Can identify Windows hosts on a target network.
- Can identify forests, domains, domain controllers, domain members and workgroups.
- Can enumerate accessible Windows shares.
- Can identify and analyse internal browse lists.
Windows Network Enumeration - Can perform user and group enumeration on target systems and domains, using various protocols and methods including:
  • NetBIOS
  • LDAP
  • SNMP
  • RID Cycling

- Can obtain other information, such as password policies.
Active Directory - Understands Active Directory structure
- Understands Active Directory roles (Global Catalogue, Master Browser, FSMO)
- Understands Group Policy.
- Understands user accounts and can manipulate these accounts to gain further access to a target system, e.g. by escalating privileges from a domain user to a domain admin.
- Understands the reliance of Active Directory on DNS and LDAP.
- Understands the role of Kerberos within Active Directory.
- Understands and can identify the different types of domain trusts, including:
  • One-way and two-way trusts
  • Explicit and transitive trusts
Active Directory Enumeration - Understands password policies, including complexity requirements and lock-out.
- Understands how to avoid causing a denial of service by locking-out accounts.
- Understands Windows password hashing algorithms, the merits of each algorithm, and their associated security attributes.
- Understands how passwords are stored and protected and can demonstrate how they can be recovered.
- Understands and can demonstrate off-line password cracking using dictionary and brute- force attacks, including the use of rainbow tables.
Windows Processes - Can identify running processes and exploit vulnerabilities to escalate privileges.
- Understands and can exploit DLL loading mechanisms to escalate privileges.
Windows File Permissions - Understands and can demonstrate the manipulation of file system permissions on Windows operating systems.
- Understands how insecure file system permissions can be exploited to escalate privileges and/or gain further access to a host.
- Can identify files with insecure or "unusual" permissions that can be exploited.
Registry - Understands and can demonstrate the detection and manipulation of weak registry ACLs.
- Can extract data from registry keys.
Windows Remote Exploitation - Understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities.
Windows Advanced Remote Exploitation - Understands the use of tools and techniques to identify new OS and software vulnerabilities.
- Understands the techniques used to develop exploit code for existing and new vulnerabilities.
Windows Local Exploitation - Understands and can demonstrate the local exploitation of Windows operating system and third-party software application vulnerabilities.
- Understands and can demonstrate local privilege escalation techniques, e.g. through the manipulation of insecure file system or service permissions
Advanced Local Exploitation - Understands the use of tools and techniques to identify new OS and software vulnerabilities.
- Understands the techniques used to develop exploit code for existing and new vulnerabilities.
Windows Post Exploitation - Understands and can perform common post exploitation activities, including:
  • obtaining password hashes, both from the local SAM and cached credentials or obtaining locally stored clear-text passwords
  • cracking password hashes
  • obtaining patch levels
  • deriving a list of missing security patches
  • reverting to a previous state
  • lateral and horizontal movement
Windows Patch Management - Understands common windows patch management strategies, including:
  • SMS
  • SUS
  • WSUS
Windows Desktop Lockdown - Understands and can demonstrate techniques to break out of a locked down Windows desktop or Citrix environment.
- Can perform privilege escalation techniques from a desktop environment.
Active Directory Attack Paths - Can analyse a Windows Active Directory environment and identify attack paths that can be used to escalate privileges or compromise a specific target.
Common Windows Applications - Knowledge of significant vulnerabilities in common windows applications for which there is public exploit code available.

Linux / UNIX Security Assessment (PT007)
Linux / UNIX Host Discovery and Reconnaissance - Can identify Linux / UNIX hosts on a network.
Linux / UNIX Network Enumeration - Can demonstrate and explain the enumeration of data from a variety of common network services on various platforms including:
  • Filesystems or resources shared remotely, such as NFS and SMB
  • SMTP
  • SSH
  • Telnet
  • SNMP

- Is aware of legacy user enumeration techniques such as rusers, rwho and finger.
- Can enumerate RPC services and identify those with known security vulnerabilities.
Linux / UNIX Passwords - Understands users, groups and password policies, including complexity requirements and lock out.
- Understands how to avoid causing a denial of service by locking out accounts.
- Understands the format of the passwd, shadow, group and gshadow files.
- Understands UNIX password hashing algorithms and their associated security attributes.
- Understands how passwords are stored and protected and can demonstrate how they can be recovered.
- Understands and can demonstrate off-line password cracking using dictionary and brute force attacks.
- Can demonstrate the recovery of password hashes when given physical access to a Linux / UNIX host.
Linux / UNIX File Permissions - Understands and can demonstrate the manipulation of file system permission on Linux and UNIX operating systems.
- Understands how insecure file system permissions can be exploited to escalate privileges and/or gain further access to a host.
- Can find "interesting' files on an operating system, e.g. those with insecure permissions, assigned setuid / setgid permissions, assigned sensitive capabilities or containing user account passwords.
Linux / UNIX Processes - Can identify running processes on Linux / UNIX hosts and exploit vulnerabilities to escalate privileges.
- Understands and can exploit shared library loading mechanisms to escalate privileges.
Linux Remote Exploitation - Understands and can demonstrate the remote exploitation of Linux systems
Linux Local Exploitation - Understands and can demonstrate the local exploitation of Linux operating system vulnerabilities.
- Understands and can demonstrate Local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions.
Linux / UNIX Post Exploitation - Understands and can demonstrate common post-exploitation activities, including:
  • obtaining locally stored clear-text passwords
  • password recovery (exfiltration and cracking)
  • lateral movement
  • checking OS and third party software application patch levels
  • deriving a list of missing security patches
  • reversion of OS and software components to previous state
Unix Exploitation - Understands weaknesses, common misconfigurations and exploits that may affect Unix systems.

Web Technologies (PT008)
Web Servers - Can identify web servers on a target network and can remotely determine their type and version.
- Understands the various mechanisms web servers use for hosting applications, including:
  • virtual hosts
  • multiple ports
  • application specific URLs

- Understands and can demonstrate the remote exploitation of web servers.
- Understands the concepts of web proxies including reverse proxies.
- Understands the purpose, operation, limitation and security attributes of web proxy servers.
Web Application Frameworks - Can identify common web application frameworks and technologies.
- Is aware of and can exploit vulnerabilities in common web application frameworks and technologies.
Common Web Applications - Can identify common web applications and exploit well known vulnerabilities.
Web Protocols - Understands and can demonstrate the use of web protocols, including:
  • HTTP / HTTPS
  • WebSockets

- Understands all HTTP methods and response codes.
- Understands HTTP header fields relating to security features.
Mark Up Languages - Understands common web mark up languages, including:
  • HTML
  • XHTML
  • XML
Web Languages - Understands common web client and server programming languages.
- Understands and can demonstrate how the insecure implementation of software developed using these languages can be exploited.
Web APIs - Understands and can demonstrate the use of web based APIs to remotely access remote services.
- Understands the concepts behind SOAP, REST and GraphQL APIs, payload formats and API definitions and documentation.
- Understands common authentication techniques used in web APIs.
- Understands and can demonstrate how the insecure implementation of webbased APIs can be exploited.
Web Clients - Understands thick client software and its use of web or API endpoints.
- Can analyse client side code to facilitate server side testing.
Web Application Reconnaissance - Understands content discovery techniques and can demonstrate website enumeration and reconnaissance through spidering, code analysis, forced browsing or other relevant process to map linked or unlinked content.
- Can interpret website data and metadata to refine reconnaissance methods.
Web Threat Modelling and Attack Vectors - Simple threat modelling based on customer perception of risk.
- Relate functionality offered by the application to potential attack vectors.
Information Gathering - Can gather information from a web site and application mark up or application code, including:
  • hidden form fields
  • database connection strings
  • user account credentials
  • developer comments
  • external and/or authenticatedonly URLs.

- Can gather information about a web site and application from the error messages it generates.
Web Authentication - Understands common authentication mechanisms and their security issues, including external authentication providers and single sign-on.
- Understands and can demonstrate authentication vulnerabilities in web application authentication processes.
Web Authorisation - Understands common pitfalls associated with the design and implementation of application authorisation mechanisms.
Input Validation - The importance of input validation as part of a defensive coding strategy.
- How input validation can be implemented and the differences between allow list, deny list and data sanitisation.
- Understands the need for server side validation and the flaws associated with client-side validation.
Web Application Fuzzing - Understands fuzzing and its use in web application testing.
- Understands the generation of fuzzing strings and their potential effects, including the dangers they may introduce.
Cross Site Scripting - Understands cross site scripting (XSS) and can demonstrate the launching of a successful XSS attack.
- Understands the difference between persistent, reflected and DOM based XSS.
SQL Injection - Determine the existence of SQL injection conditions in web applications.
- Can exploit SQL injection to execute arbitrary SQL commands in a database.
NoSQL Injection - Determine the existence of an NoSQL injection condition in a web application.
- Can exploit NoSQL injection to enable unintended operation of the website, retrieval of data or execution of code, dependant on technologies in use
ORM Injection - Can demonstrate the ability to identify, explain and prove the existence of ORM injection in a web application.
XML Related Injection - Can demonstrate the ability to identify, explain and prove the existence of the different types of XML related injections within web applications.
LDAP Injection - Can demonstrate the ability to identify, explain and prove the existence of LDAP injection in a web application.
- Can exploit LDAP injection to extract arbitrary data from an LDAP directory.
Server-Side Includes (SSI) Injection - Can demonstrate the ability to identify, explain and prove the existence of SSI injection in a web application.
Mail Injection - Can demonstrate the ability to identify, explain and prove the existence of the following types of mail related injection in a web application:
  • SMTP injection
  • IMAP injection
Code Injection - Can demonstrate the ability to identify, explain and prove the existence of code injection in a web application built with common web scripting languages.
OS Command Injection - Can demonstrate the ability to identify, explain and prove the existence of OS command injection in a web application.
Sessions & Tokens - Understands the use of session or token authentication mechanisms used within web applications and APIs.
- Understands the security implications of sessions, exploiting weaknesses including hijacking, fixation, session puzzling and specific vulnerabilities in common session implentations.
- Understands the security implications of tokens, exploiting weaknesses including token manipulation, re-use and specific vulnerabilities in common token implementations.
Cookies - Understands how cookies work in a web application.
- Understands cookie attributes and how they can affect the security of a web application.
Request Forgery - Understands and can exploit cross-site and server-side request forgery vulnerabilities.
- Understands the role of sessions in CSRF attacks.
 Mass Assignment - Understands and can identify and exploit mass assignment vulnerabilities.
Web Cryptography - Understands how cryptography can be used to protect data in transit and data at rest, both on the server and client side.
- Understands the concepts of TLS and can determine whether a TLS-enabled web server has been configured in compliance with best practice (i.e. it supports recommended ciphers and key lengths).
- Understanding how hashing can be used appropriately within web applications.
- Exploitation of weak cryptography or poorly configured encryption within web applications, including padding oracle and man-in-the-middle.
- Understands and can perform relevant attacks against web applications or web APIs where the connections are insecure.
Directory Traversal - Understands and can identify directory traversal vulnerabilities within applications.
File Uploads - Understands and can identify common vulnerabilities with file upload capabilities within applications.
- Understands the role of MIME types in relation to file upload features.
- Can generate malicious payloads in a variety of common file formats.
CRLF Attacks - Understands and can demonstrate CRLF attacks, including:
  • HTTP Splitting
  • HTTP Smuggling
Web Application Logic Flaws - Can assess and exploit vulnerabilities within the functional logic, function access control and business logic of an application.
Client Side Vulnerabilities - Understands and can demonstrate client side vulnerabilities within web applications, including:
  • DOM based XSS
  • HTML injection
  • URL redirect
  • CSS injection
  • Resource manipulation
  • Cross origin resource sharing
  • Clickjacking
  • Web messaging ( cross document messaging)
  • Browser storage
  • Cross site script inclusion

Databases (PT009)
SQL Relational Databases - Can use SQL to interact with relational databases and extract information, e.g. SQLite, PostgreSQL.
- Understands common connection and authentication methods to connect to SQL databases.
- Can recognise common database connection string formats, e.g. JDBC, ODBC.
- Understands and can demonstrate the remote exploitation of common SQL databases.
- Understands and can demonstrate how access can be gained to a database through the use of default accounts credentials and insecure passwords.
- Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).
Microsoft SQL Server - Understands and can demonstrate the remote exploitation of Microsoft SQL Server.
- Understands and can demonstrate how access can be gained to a Microsoft SQL server through the use of default accounts credentials and insecure passwords.
- Can identify and exploit linked server configurations.
- Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).
- Can leverage database features to enumerate domain information.
- Following the compromise of Microsoft SQL server, can execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host.
Oracle RDBMS - Understands and can demonstrate the remote exploitation of an Oracle RDBMS instance.
- Understands the security attributes of the Oracle TNS Listener service.
- Understands and can demonstrate how access can be gained to an Oracle RDBMS through the use of default accounts credentials and insecure passwords.
- Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).
- Can demonstrate how the software version and patch status can obtained from an Oracle database.
- Following the compromise of an Oracle database, can execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host.
MySQL - Understands and can demonstrate the remote exploitation of an MySQL database.
- Understands and can demonstrate how access can be gained to an MySQL database through the use of default accounts credentials and insecure passwords.
- Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).
- Can demonstrate how the software version and patch status can obtained from an MySQL database.
- Following the compromise of an MySQL database, can execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host.
PostgreSQL - Understands and can demonstrate the remote exploitation of an PostgreSQL database.
- Understands and can demonstrate how access can be gained to an PostgreSQL database through the use of default accounts credentials and insecure passwords.
- Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).
- Can demonstrate how the software version and patch status can obtained from an PostgreSQL database.
- Following the compromise of an PostgreSQL database server, can execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host.
NoSQL - Understands and can demonstrate the remote exploitation of common NoSQL databases including key-value, document, graph and column types.
- Understands and can demonstrate how access can be gained to such a database through the use of default accounts credentials and insecure passwords.
- Can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible).

Virtualisation (PT010)
Virtualisation Platforms - Can identify use of popular virtualisation technologies, including:
  • VMware
  • Microsoft HyperV
  • Citrix
  • Oracle VirtualBox
  • Linux KVM

- Understands common vulnerabilities found in hypervisors, including:

  • Exposure of management interface
  • Use of default or insecure credentials
  • Common high profile CVEs

- Understands the inherent risks in shared virtualised environments, e.g. shared memory space
Virtual Machine Escape - Understands and can demonstrate common techniques for escaping a virtualised environment, including:
  • Directory traversal in shared folders
  • Virtual device communication breakout
  • Public CVEs relating to memory corruption
Snapshots - Can demonstrate how to take snapshots and techniques for recovering key sensitive information
- Understands the security implications of reverting a VM to a previous state
- Understands the sensitive nature of snapshot files and the need to restrict access

Containerisation (PT011)
Containers - Understands the key differences between virtualisation and containerisation
- Understands how containers are isolated from the host system
- Can identify and interrogate running containers on a host
- Can identify common vulnerabilities and weaknesses present in containers, including:
  • Missing security patches
  • Weak file permissions
  • Insufficient or lack of resource quotas
  • Presence of sensitive information in environment variables, running processes or filesystem
Docker - Understands how Docker containers are implemented on Linux and Windows.
- Understands the concepts of layered filesystems and how to extract and analyse specific layers within an image
- Understands and can analyse Dockerfile files to uncover weaknesses in static images, including:
  • Use of unencrypted connections for performing downloads
  • Use of overly generous permissions, e.g. running as the root user
  • Inclusion of sensitive information, e.g. passwords or private keys o Unnecessary exposure of ports

- Understands Docker networking and how containers interact with each other and the host networks.
- Understands and can exploit misconfigurations in containers that can lead to privilege elevation and escaping the container.
- Understands and can exploit misconfigurations in the environment that could allow malicious containers to be deployed.
Kubernetes - Understands how Kubernetes containers are implemented.
- Understands Kubernetes networking and how containers interact with each other and the host networks.
- Understands how Kubernetes containers are managed and deployed.
- Understands and can exploit misconfigurations in containers that can lead to privilege elevation and escaping the container.
- Understands and can exploit misconfigurations in the environment that could allow malicious containers to be deployed.
LXD - Understands how LXD containers are implemented.
- Understands LXD networking and how containers interact with each other and the host networks.
- Understands how LXD containers are managed and deployed.
- Understands and can exploit misconfigurations in containers that can lead to privilege elevation and escaping the container.
- Understands and can exploit misconfigurations in the environment that could allow malicious containers to be deployed.

Cloud Security (PT012)
Penetration Testing Authorisation - Understands the importance of obtaining authorisation from cloud hosting providers and the potential effects on permitted types of testing during engagements.
Virtual Private Clouds - Understands the concepts of a VPC and the implications on performing security assessments.
- Can competently assess resources within a private cloud-hosted environment, advising on any necessary temporary changes that may be needed (e.g. creation of bastion hosts, changes to Security Groups / firewalls).
Logging and Monitoring - Can analyse logging configuration within a cloud environment and advise on improvements.
- Can analyse the configuration of resource monitoring and alarm generation and advise on improvements.
Identity and Access Management - Understands the identity and access management models of popular cloud providers.
- Can assess roles and policies to identify weaknesses relating to insecure permissions.
Denial of Service and Resource Exhaustion - Understands how (Distributed) Denial of Service attacks are performed and the protective measures available in cloud environments.
- Understands the financial implications of excessive resource consumption.
General Cloud Reconnaissance - Can identify services and configurations associated with popular cloud providers
- Can enumerate the services that are deployed and used within a cloud account
- Can interpret cloud policies and permissions
- Can identify common cloud misconfigurations
General Host to Cloud Transition - Understands and can demonstrate how compromise of systems can be used to gain access to cloud services
- Understands and can demonstrate the ability to recover credentials that could be used to access cloud services

Physical Security (PT014)
Locks - Understands how locks can be used to restrict access to computer hardware.
Tamper Seals - Understands how tamper seals can be used to deter access to computer hardware.
Platform Integrity - Understands platform integrity technologies, e.g. TPM.
Boot Sequence - Understands the BIOS boot sequence and can obtain privileged access to an operating system by exploiting vulnerabilities in a boot sequence configuration, e.g. booting from removable media or enabling PXE boot.
- Understands how Secure Boot works.
Disk Encryption - Understands the security implications of unencrypted storage devices, such as hard disks.
- Can demonstrate how data can be recovered from unencrypted storage devices, and how such data can be manipulated to introduce vulnerabilities into an operating system.
- Understands the difference between hardware and software disk encryption implementation and the related security implications.
- Understands the limitations of disk encryption.
Recovery Functionality - Understands the security attributes of operating system recovery functionality, e.g. Windows Recovery Console and Safe Mode.
Authentication - Understands multi-factor authentication systems, such as tokens and SMS.
- Understands types of biometrics and how they can be applied.
- Understands the concept of one-time pads.
- Understands the use of digital certificates as an authentication mechanism.
- Understands the concept of contactless RFID smart cards.

Secure Development Operations (PT015)
Secure Coding Practices - Understands common insecure programming practices, including:
  • Use of dangerous functions
  • Insufficient sanitisation of usersupplied data
  • Use of outdated third party components
  • Logic errors
Security in the Development Lifecycle - Understands the role of automated security testing tools as part of the development process, including:
  • Static analysis tools (SAST)
  • Dependency checking tools
  • Dynamic analysis tools (DAST)

- Understands how automated tooling can safely and effectively be incorporated into the development pipeline.
- Can identify and advise on common security misconfigurations of these tools.
Infrastructure as Code - Understands the role of tools to automate the building, configuration and deployment of infrastructure, including:
  • Terraform
  • AWS Cloud Formation
  • Azure Resource Manager
  • Puppet
  • Ansible
  • Chef

- Can identify and advise on common security misconfigurations of these tools.
Code Repository Security - Can identify and advise on issues relating to weakly protected code repositories, for example:
  • Openly exposed repositories containing closed source code
  • Weak or insufficiently protected credentials

- Understands the security implications of storing sensitive information in source code repositories, e.g. passwords, private cryptographic keys or API keys.

Social Engineering (PT019)
Phishing - Understands the concept of Phishing, spear Phishing and Whaling
- Understands how common document formats can be used to execute code
- Understands common methods used to connect to Command and Control (C2) Infrastructure
Vishing - Understands the concept of Vishing
- Understands the concepts of caller ID spoofing

macOS Security Assessment (PT020)
macOS Reconnaissance - Can identify macOS systems hosts on a network
macOS Network Enumeration - Can demonstrate and explain the enumeration of data from a variety of common network -services
- Familiarity with the native macOS firewall, its default configuration and policy confiugrations
macOS Passwords - Familiarity with the macOS privilege model including the default permissions of the Administrator, Standard and Sharing Only groups and the default confiugration of the 'root' account
- Understands password and account lockout policy configurations including complexity requirements and user lock out
- Understands how passwords are stored and protected and can demonstrate how they can be recovered
- Understands and can demonstrate off-line password cracking using dictionary and brute force attacks
- Knowledge of password storage mechanisms such as the local Keychain and iCloud Keychain and the key differences
macOS File Permissions - Understands and can demonstrate the manipulation of file system permission on macOS operating systems.
- Understands how insecure file system permissions can be exploited to escalate privileges and/or gain further access to a host.
- Can find "interesting' files on an operating system, e.g. those with insecure or "unusual" permissions, or containing user account passwords
macOS Remote Exploitation - Understands and can demonstrate the remote exploitation of macOS systems
macOS Local Exploitation - Understands and can demonstrate Local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions
- Knowledge of system and binary restriction implementations such as those configured through Jamf and Microsoft Intune
macOS Post Exploitation - Understands and can demonstrate common post-exploitation activities, including:
  • obtaining locally stored clear-text passwords
  • password recovery (exfiltration and cracking)
  • checking OS and third party software application patch levels
  • deriving a list of missing security patches

To ensure success in CREST Tester Application certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for CREST Tester Application (CCT APP) exam.

Rating: 5 / 5 (5 votes)