Testimonials

C-AI/MLPen

C-AI/MLPen

C-AI/MLPen

C-AI/MLPen
Who should take this exam?
CBFPro is intended to be taken by pentesters, application security architects, SOC analysts, red and blue team members and any security enthusiasts, who want to evaluate and advance their knowledge.
What is the format of the exam?
CBFPro is an intense 4 hour long practical exam. It requires candidates to solve a number of challenges, identify and exploit various vulnerabilities and obtain flags. The exam can be taken online, anytime (on-demand) and from anywhere. Candidates will need to connect to the exam VPN server to access the vulnerable applications.
What are the pass criteria for the exam?
The pass criteria are as follows:
- Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
- Candidates scoring over 75% marks will be deemed to have passed with merit.
What is the experience needed to take the exam?
This is an intermediate-level exam. Candidates should have prior knowledge and experience in fuzzing techniques. They should be familiar with common vulnerability types identified through fuzzing, such as buffer overflows, input validation issues, and memory corruption vulnerabilities. Candidates should also understand different fuzzing tools, techniques, and methodologies used to discover security flaws in applications and systems. The exam will test their ability to demonstrate practical knowledge by completing a series of tasks focused on identifying and exploiting vulnerabilities using fuzzing in a real-world environment.
Note: As this is an intermediate-level exam, a minimum of two years of professional pentesting/bug-bounty experience is recommended.What will the candidates get?
On completing the exam, each candidate will receive:
- A certificate with their pass/fail and merit status.
- The certificate will contain a certificate number, which can be used by anyone to validate the certificate.
What is the exam retake policy?
Candidates who fail the exam are allowed 1 free exam retake within the exam fees.
What are the benefits of this exam?
The certificate will allow candidates to demonstrate their understanding of fuzzing techniques. This will help them to advance in their career.
How long is the certificate valid for?
The certificate does not have an expiration date. However, the passing certificate will mention the details of the exam such as the exam version and the date. As the exam is updated over time, candidates should retake the newer version exam as per their convenience.
Will You Provide Any Training That Can Be Taken Before The Exam?
Being an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience and practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.
Company | Free/Paid |
---|---|
LiveOverflow | Free |
STÖK | Free |
FuzzingLabs | Paid |
Fuzzing/IO | Paid |
Fuzzing At | Paid |
Fuzzing 101 | Free |
AFLplusplus | Free |
Trail of Bits Testing Hanbook | Free |
Fuzzing PHP for Fun and Profit | Free |
Exam Syllabus
The exam will cover the following topics
Understanding Of Different Fuzzing Concepts And Techniques
Types of Fuzzing
- Application Fuzzing
- Protocol Fuzzing
- File Format Fuzzing
Working With Different Fuzzing Tools And Frameworks
- OSS-Fuzz
- Syzkaller
- ClusterFuzz
- WinAFL
- Radamsa
- Peach Fuzzer
- Sulley Framework
- QEMU-based Fuzzers
Fuzzing Different Software Components
- APIs, Web Applications And Its Services
- Network Protocols
- Binary
Automating Fuzzing Using Scripts/Tools
Overflows
- Use-After-Free
- Double Free
- Null Pointer Dereference
- Memory Leaks
- Heap Corruption
Network Protocols
- TCP/IP Stack Fuzzing
- Wireless Protocol Fuzzing
- IoT Protocol Fuzzing
- Custom Protocol Fuzzing
Race Conditions
Memory Corruption and Crashes
Analyzing Crash Dumps and Logs
Denial of Service (DoS) Related Vulnerabilities
Fuzzing Web Servers
Rate Limiting Vulnerabilities
Other Fuzzing Specific Vulnerabilities
Mitigation Strategies For Vulnerabilities Uncovered By Fuzzing
Sample Question?
- Evaluate the application’s anti-reversing checks. Which of the following statements is true in the context of the Jailbreak Detection?
-
- The Application has a robust Jailbreak Detection implementation.
- The Application lacks any Jailbreak Detection implementation.
- The Application has insufficient Jailbreak Detection, which can be bypassed.
- The Application has implemented Jailbreak Detection, and it can not be bypassed.
Prerequisites:
Host Operating System:
Windows/Linux/MacOS with minimum 8GB RAM (MacOS Preferred).
Physical Device with Minimum iOS Version Supported:
iOS 14 or higher (Jailbroken).
Note: Please make sure you have your iOS pentesting environment ready (Jailbroken Physical Device, Burp Suite, or any similar proxy tool along with Frida, objection and other similar pentesting tools) prior to starting the exam. The IPA build will be distributed via TestFlight.
