Skip to main content

GIAC Certified Web Application Defender (GWEB)

Practitioner Certification
GIAC Certified Web Application Defender (GWEB)
Register nowRenew
dod_8140
Jump to:

Distinguish yourself as a practitioner with the vital knowledge and skills to secure web applications, able to recognize common weaknesses and implement effective defenses.

The GIAC Web Application Defender (GWEB) certification validates a practitioner’s expertise handling the common web application errors that lead to most security problems. GWEB certification holders have hands-on experience using current tools to detect and prevent input validation flaws, cross-site scripting (XSS), and SQL injection, also possessing in-depth understanding of the weaknesses and best defenses for authentication, access control, and session management.

Areas Covered

  • Access control; AJAX technologies and security strategies; security testing; authentication
  • Cross origin policy attacks and mitigation; CSRF; encryption and protecting sensitive data
  • File upload; response readiness; proactive defense; input-related flaws and input validation
  • Modern application framework issues and serialization; session security and business logic; Web
  • Application and HTTP basics; Web architecture; configuration; security

Who is GWEB for?

  • Application developers
  • Application security analysts or managers
  • Application architects
  • Penetration testers interested in learning about defensive strategies
  • Security professionals interested in learning about web application security
  • Auditors who need to understand defensive mechanisms in web applications
  • Employees of PCI-compliant organizations in need of training comply with PCI requirements 

Exam Format

  • 1 proctored exam
  • 3 hours
  • Minimum passing score of 68%
  • 75 questions

Note: GIAC periodically reviews and may update certification specifications to ensure fairness, validity, and reliability. Using a psychometric standard-setting study, GIAC has set the passing score for the GWEB exam at 68% for all candidates who receive the exam version released on or after September 27, 2025.

To confirm the exam format and passing score that apply to your specific attempt, please refer to the Certification Information section of your GIAC account: https://exams.giac.org/pages/attempts.

Certification Delivery

GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt.

NOTE: All GIAC Certification exams are web-based and required to be proctored. There are two proctoring options: remote proctoring through ProctorU, and onsite proctoring through PearsonVUE. Click here for more information.

Woman Staring at Tablet

Exam Certification Objectives & Outcome Statements

  • Access ControlThe candidate will demonstrate understanding of access control attacks and mitigation strategies, as well as applying the best practice in avoiding access control issues.
  • AJAX Technologies and Security StrategiesThe candidate will demonstrate an understanding of Asynchronous JavaScript and XML (AJAX) architecture, common attacks against AJAX technologies and best practices for securing applications using AJAX.
  • AuthenticationThe candidate will demonstrate understanding of web authentication, single sign on methods, third party session sharing and common weaknesses, as well as how to develop test strategies, and apply best practices.
  • Cross Origin Policy Attacks and MitigationThe candidate will demonstrate an understanding of methods attackers use to circumvent single origin policy enforcement and best practices for preventing, detecting or mitigating these attacks in web applications.
  • CSRFThe candidate will demonstrate understanding of the conditions that make a CSRF attack possible, the steps an attacker takes and how to mitigate CSRF attacks.
  • Encryption and Protecting Sensitive DataThe candidate will demonstrate understanding of how cryptographic components work together to protect web application data in transit and in storage and also when and where to use encryption or tokenization to protect sensitive information.
  • File Upload, Response Readiness, Proactive DefenseThe candidate will demonstrate an understanding of incident response as well as file upload, logging, and anti automation issues
  • Input Related Flaws and Input ValidationThe candidate will demonstrate understanding of SQL injection, Cross site Scripting, HTTP Response splitting, and how to protect against them with proper input validation
  • Leading Edge Technologies and Web SecurityThe candidate will demonstrate an understanding of leading edge web application security issues and technologies
  • Modern Application Framework Issues and SerializationThe candidate will demonstrate understanding of miscellaneous security technolgies and techniques associated with web application security including REST, Java Frameworks, Serialization, and Browser Defense
  • Security TestingThe candidate will demonstrate an understanding of how to detect and respond to incidents and conduct security testing in the web application environment.
  • Session Security & Business LogicThe candidate will demonstrate understanding of what sessions are, how to test and mitigate common weaknesses, and how to properly implement session tokens and cookies in a web application as well as security issues associated with business logic.
  • Web Application and HTTP BasicsThe candidate will demonstrate understanding of the building blocks of web applications and how components work together to provide HTTP content as well as high level attack trends.
  • Web Architecture and ConfigurationThe candidate will demonstrate an understanding of web application architecture and controls needed to secure servers and services that host web applications.
  • Web Services SecurityThe candidate will demonstrate an understanding of Service Oriented Architecture (SOA), common attacks against web services components (SOAP, XML, WSDL, etc) and best practices for securing web services.

Practice Tests

  • Practice exams are a simulation of the real exam, allowing you to become familiar with the test engine and style of questions
  • Practice exams can serve as a gauge to determine if your preparation methods are sufficient
  • The bank of practice questions is limited, so you may encounter the same question on multiple practice tests
  • Practice exams never include actual exam questions
  • Purchase a GWEB practice test here

How To Prepare

Other Resources

  • Training is available  in a variety of modalities including live training and OnDemand
  • Practical work experience can help ensure that you have mastered the skills necessary for certification
  • College level courses or self-paced study through other programs or materials may meet the needs for mastery
  • Understand the procedure to contest exam results
  • Use this justification letter to share key details of this certification opportunity with your boss

Find Affiliate Training

Explore affiliate training options to prepare for your GIAC certification exam.

Find Training Now

Subscribe to GIAC’s Monthly Newsletter

Receive expert insights, priority access to certifications, essential updates on regulatory changes and industry developments.