Sitting for the GIAC Web Application Penetration Tester exam in 8 weeks. Currently working through the course material but it's dense. I do about 2 hours a day on weekdays and 4 on weekends.
SQL injection and XSS feel solid. Authentication bypass and session management are where I keep tripping up on practice questions. Anyone who's passed recently — is the real exam heavy on those areas?
Also wondering about the open-book format. I hear GIAC exams let you bring notes. How do you organize your notes effectively? I don't want to waste time flipping through pages during the exam.
Session management questions were about 15% of what I saw. Know the difference between fixation, hijacking, and prediction attacks. Those show up a lot.
Passed it 4 months ago with a 79. Make a tight index for your notes — topic, page number, done. Don't write essays, just key commands and payloads.
The open book is a trap if you're not organized. I'd say 60% of my time on hard questions was spent reading, not using notes. Know the material first.
Don't neglect the business logic testing section. Feels less technical but there were more questions on it than I anticipated.