What is the BSCP exam format?

The BSCP is a 4-hour remote proctored practical exam. You receive two different web applications, each with two hours of time. Each application has three stages: (1) Foothold — gain initial access using any vulnerability; (2) Privilege escalation — escalate to administrator; (3) Data exfiltration — use admin access to read /home/carlos/secret from the server filesystem and submit it. You must complete all six stages to pass. The exam is open-book; you can use Burp Suite Professional and the Web Security Academy.

How much does the BSCP cost?

Each BSCP exam attempt costs $99 USD (local taxes may apply). You also need an active Burp Suite Professional subscription to take the exam. Burp Suite Pro costs approximately $449/year for individuals. Combined, a first attempt costs approximately $550. Retakes are $99 per attempt.

What are the BSCP exam prerequisites?

Before registering, you must: (1) Complete at least one Practitioner-level lab from each topic in the Web Security Academy; (2) Complete five mystery labs; (3) Complete one practice exam. You also need a government-issued photo ID and must configure your device with PortSwigger's proctoring service. No formal education or experience requirements exist beyond these completion requirements.

How should I prepare for the BSCP?

Complete all Apprentice and Practitioner-level labs in the Web Security Academy, working through every topic. PortSwigger's 'How to Prepare' page provides a structured learning path. Pay special attention to SQL injection, XSS (all types), access control, authentication, SSRF, and HTTP request smuggling — these appear most commonly in exam scenarios. Practice completing labs without looking at solutions to simulate exam conditions.

Is this practice test like the real BSCP exam?

No — this is a knowledge-prep multiple-choice practice test. The real BSCP is a hands-on practical exam where you must actually exploit live web applications. This practice test helps you learn the concepts, vulnerability mechanics, and techniques. To pass BSCP, you must also practice hands-on exploitation by completing all Web Security Academy labs. Use this practice test to test your theoretical knowledge and understanding of each vulnerability class.

What is the BSCP pass rate?

PortSwigger does not publish official BSCP pass rate statistics. Community reports and exam preparation guides estimate a 30-50% pass rate for first attempts. The exam is considered challenging because it requires correctly chaining multiple vulnerabilities under time pressure across two completely different web applications.

All Practice Exams

100+ Free BSCP Practice Questions

Burp Suite Certified Practitioner (BSCP) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

PortSwigger does not publish pass rate data Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which OAuth 2.0 state parameter property is critical for CSRF protection during the authorization flow?

It must be unpredictable and tied to the user's session, verified on return to the callback URI

It must match the client_id to confirm the request originates from the registered client

It must be a static string that identifies the application to the authorization server

It must be URL-encoded to prevent injection through the redirect_uri parameter

to track

2026 Statistics

Key Facts: BSCP Exam

$99

Per Exam Attempt

PortSwigger

4 hours

Exam Duration

PortSwigger

6 stages

To Complete (2 apps × 3)

PortSwigger

5 years

Certificate Validity

PortSwigger

30+

Web Security Academy Topics

PortSwigger

Open-book

Exam Style

PortSwigger

The BSCP (Burp Suite Certified Practitioner) is PortSwigger's official web security certification. The 4-hour practical exam presents two web applications each requiring a foothold (initial access), privilege escalation (admin), and data exfiltration stage — all 6 stages must be completed. The exam is open-book and requires Burp Suite Professional. At $99 per attempt it is one of the most affordable practical web security certs. Preparation requires completing the full Web Security Academy curriculum including all Apprentice and Practitioner labs.

Sample BSCP Practice Questions

Try these sample questions to test your BSCP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In a classic SQL injection attack, which SQL keyword allows an attacker to append an additional SELECT query to the original query in order to retrieve data from a different table?

A.UNION

B.JOIN

C.INSERT

D.MERGE

Explanation: The UNION keyword in SQL lets an attacker append a second SELECT statement whose results are combined with the original query's results. To work, both queries must return the same number of columns with compatible data types. UNION-based SQLi is a primary technique for extracting data from other tables.

2When testing for blind SQL injection, an attacker submits the payload `' AND SLEEP(5)--` and the application takes five additional seconds to respond. What does this confirm?

A.The application is vulnerable to error-based SQLi

B.The application is vulnerable to time-based blind SQLi

C.The application sanitizes inputs but is still injectable via UNION

D.The application's WAF can be bypassed with sleep payloads

Explanation: A five-second delay matching the SLEEP argument confirms time-based blind SQL injection. When no data is returned in the response body and no errors are visible, time delays are used as an out-of-band signal to infer whether an injected condition evaluated to true. Error-based and UNION-based techniques produce visible responses, making them distinct from time-based blind.

3A reflected XSS payload is injected via a URL query parameter and immediately rendered into an HTML attribute without encoding. Which of the following payloads would most reliably break out of the attribute context and execute JavaScript?

A.javascript:alert(1)

B.<script>alert(1)</script>

C." onmouseover="alert(1)

D.';alert(1)//

Explanation: The double-quote character closes the attribute value, and `onmouseover="alert(1)` then injects an event handler that executes JavaScript. This pattern works because the payload escapes the attribute context first. The other payloads either require a tag context, a href context, or a JavaScript execution context that isn't present in an HTML attribute.

4A stored XSS payload is inserted into a database via a product review form and later rendered on the product page for all visitors. Which characteristic distinguishes stored XSS from reflected XSS?

A.The payload relies on the browser's DOM manipulation APIs

B.The payload executes only in the attacker's own browser session

C.The payload requires the victim to click a specially crafted link

D.The payload persists in the application and affects multiple users automatically

Explanation: Stored (persistent) XSS is distinguished by the fact that the malicious payload is saved server-side and executes automatically for every user who loads the affected page, without requiring any additional interaction. Reflected XSS, by contrast, requires a victim to follow a crafted URL. DOM-based XSS involves client-side manipulation of the DOM and is a separate category.

5In a CSRF attack, which same-site cookie attribute provides the strongest protection by preventing the browser from sending cookies on any cross-site request, including top-level navigations?

A.SameSite=Strict

B.SameSite=Lax

C.SameSite=None; Secure

D.HttpOnly

Explanation: SameSite=Strict instructs the browser to send the cookie only on same-site requests, including navigation. It is the strongest CSRF protection of the three SameSite values because it blocks cookies even on top-level cross-site GET navigation. SameSite=Lax allows cookies on top-level GET navigation, leaving some CSRF vectors open. HttpOnly mitigates XSS-based cookie theft but does not address CSRF.

6An HTTP request smuggling attack exploits ambiguity between the Content-Length (CL) and Transfer-Encoding (TE) headers. In a CL.TE attack, how do the front-end and back-end servers interpret the request?

A.Front-end uses Transfer-Encoding; back-end uses Content-Length

B.Front-end uses Content-Length; back-end uses Transfer-Encoding

C.Both servers use Content-Length but with different values

D.Both servers use Transfer-Encoding but parse chunk boundaries differently

Explanation: In a CL.TE desync, the front-end proxy trusts Content-Length to determine the request boundary, while the back-end uses Transfer-Encoding (chunked). The attacker crafts a request where the CL and TE headers specify different body lengths, causing the back-end to treat leftover bytes as the beginning of the next request, smuggling a prefix of data into subsequent connections.

7Which of the following best describes the goal of a web cache poisoning attack?

A.Bypass authentication by replaying cached tokens from a previous session

B.Steal session cookies stored in the browser's HTTP cache

C.Inject a malicious response into a shared cache so subsequent legitimate users receive harmful content

D.Inject SQL into cached database queries to exfiltrate data

Explanation: Web cache poisoning forces a caching layer (CDN, reverse proxy, or browser cache) to store and serve an attacker-controlled response to subsequent users. The attacker uses unkeyed inputs (headers, query parameters) to make the cache store a poisoned version of a page, delivering malicious content such as XSS payloads to all visitors who receive the cached response.

8When testing for web cache deception, an attacker appends a fake static file extension to a dynamic URL (e.g., `/account/profile/test.css`). What is the attacker's objective?

A.Force the back-end to return a 404 so the error page is cached

B.Bypass CSP headers that only apply to HTML responses

C.Overwrite a cached CSS file with the victim's profile data

D.Trick the cache into storing sensitive dynamic content by matching a static file caching rule

Explanation: Web cache deception exploits mismatches between cache rules and back-end routing. If the cache stores responses for URLs ending in `.css` regardless of the actual back-end content type, an attacker can cause a victim to load `profile/test.css`, which the back-end serves as the profile page (with sensitive data), and the cache then stores. The attacker subsequently fetches the same URL to read the cached sensitive data.

9In Java-based insecure deserialization attacks, which class in the Apache Commons Collections library is frequently used as a gadget chain starting point to achieve remote code execution?

A.InvokerTransformer

B.ObjectOutputStream

C.ClassLoader

D.Serializable

Explanation: InvokerTransformer from Apache Commons Collections (AccC) is the core gadget used in the ysoserial CommonsCollections chain. It invokes arbitrary methods via reflection. When chained with other gadgets, it enables arbitrary command execution during deserialization without the application explicitly calling exec(). ObjectOutputStream is for serializing objects; ClassLoader and Serializable are foundational Java mechanisms, not RCE gadgets.

10A login form accepts a username of `administrator'--` and successfully authenticates without a password. Which SQL injection technique does this exploit?

A.UNION-based data extraction

B.Comment-based authentication bypass

C.Second-order SQL injection

D.Blind boolean-based injection

Explanation: By injecting `administrator'--` the attacker causes the SQL query to become `SELECT * FROM users WHERE username='administrator'--' AND password='...'`. The `--` comment sequence causes everything after it—including the password check—to be ignored, granting login access without a valid password. This is a classic comment-based authentication bypass.

About the BSCP Practice Questions

Verified exam format metadata for Burp Suite Certified Practitioner (BSCP) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.