Got my GWAPT last month. I had about 6 months of web pen testing experience before sitting for it, which helped a lot, but I still put in serious study time.
The exam is very hands-on in its thinking — you need to understand the HOW behind web application attacks, not just the names. SQLi, XSS, CSRF, IDOR, authentication bypass — know each one mechanically. What makes them work, how you detect them, how they are mitigated.
I did 10 weeks of structured prep. First 4 weeks reviewing OWASP Top 10 deeply. Weeks 5-7 on GIAC course material. Last 3 weeks were all practice tests and lab work in a local vulnerable app environment. Scored 88% on the exam.
Burp Suite proficiency is non-negotiable. If you are not comfortable with Intruder, Repeater, and the proxy, spend time there before anything else.
Currently 4 weeks into prep. The authentication bypass section is harder than expected. Any tips on that specific area?
Mostly DVWA and Juice Shop. Juice Shop is especially good because the challenge format keeps you engaged. I also spun up a few intentionally vulnerable Docker containers for specific vulnerability types.
PortSwigger Web Security Academy is completely free and legitimately excellent for GWAPT prep. Do not skip it.
For auth bypass — focus on JWT weaknesses, session fixation, and password reset flow vulnerabilities. Those come up a lot. Understanding how each attack chain works from recon through exploitation is the key skill the exam tests.
Nice score! Did you use any specific vulnerable web app labs for practice? DVWA, WebGoat, something else?