Recently, Offensive-Security released an online version of their certification called “Offensive Security Web Expert” aka OSWE. After having already experienced and successfully obtaining several other certifications from Offensive Security such as OSCP and OSCE, I was curious and intrigued to give the OSWE course a try as well.
I decided to choose the 2-month package option for the course called “Advanced Web Attacks and Exploitation” and due to other commitments I was able to request and was granted a minor 15 day extension.
After watching the videos and reading through the course material, I was very impressed by the content of the course, as it contained detailed information and analysis on certain in-depth attacks.
The course followed a white-box testing approach which was based on source code review, by reading the code of the web application in order to find and exploit potential vulnerabilities.
The course material included several labs with web application software installed on them and by following the content provided in the course material, exploiting the machines was relatively easy.
Before embarking on this course, I would recommend that you have a good understanding of the following skills:
1. Python scripting language:
The course will require you to have a solid understanding of, as well as experience with python scripting, as it is used for automating the process of exploiting vulnerabilities as well as automating exploits.
2. Other programming languages:
3. Prior experience with web application attacks:
Prior experience with web application attacks will also be very advantageous as you will be required to have strong knowledge and understanding of common modern web attacks. Personally, I would also highly recommend reading the book titled “Web Application Hacker’s Handbook” beforehand as its content will be very helpful during the course and thereafter.
4. Source code review:
One of the outcomes that this course will teach you is how to do Whitebox testing on web applications by reviewing and understanding the code of the application. Therefore, prior experience in doing source code review on web applications will be advantageous.
5. Web development experience:
Having prior experience with web development and the workings of web applications will also assist with successfully completing this course.
After receiving the course materials, I began reading the book, watching videos and solving the exercises and milestones.
The first few chapters of the course were relatively basic but from Chapter 4 onwards it became far more advanced. Personally it was at this point that it really became fun, as the course delved deeper into advanced techniques and attacks types.
Offensive Security recommends that you try and solve the exercises and milestones as you progress through the chapters to ensure that you get a better grasp and understanding of the materials and also as proof that you have understood everything in that particular chapter.
Listed below, is a list of pros and cons to consider when deciding to take this course:
o Great for learning and advancing white box testing and source code review skills.
o The course covers advanced real-world vulnerabilities such as deserialization attacks and advanced techniques.
o The course covers a wide range of vulnerabilities and exploits, including medium, high and critical risk.
o Although the course covers many different attack types, there are a few that are not covered in the course, for example, XXE, SSRF, CSRF and SSTI.
o More exercise work and milestones would be advantageous to learners
The lab review:
The lab consisted of 5 machines which contained the web applications as discussed in the course material. Therefore, by going through the course material comprehensivly and successfully completing the course exercises and milestones, you should be able to successfully execute the necessary attacks and exploitation paths.
Personally, I would recommend practicing as much as possible before moving onto the exam, as this will help increase your skills and confidence.
The exam review:
The exam for the OSWE course is a 48 hour exam, which includes an additional 24 hours for writing your step by step report of the exam. As with all exams, I would recommend that you ensure that you get enough sleep to ensure that you are well rested and able to perform at your peak.
During the exam, I had not rested enough and it started to affect my performance, therefore my recommendation is that if you start feeling tired, go sleep for a bit and then resume as this will help you to think clearer.
A few other suggestions from my experience is to remember to get up and take a walk every few hours and don’t forget to take screenshots as you solve the challenges in the exam.
Lastly, try not to stress too much about the exam, try to think of it as a challenge that you are trying to solve, rather than an exam itself.
Important material to read before undertaking this course:
Below is a list of content material that I would recommend that you read and work through before you undertake the OSWE course:
- “The Web Application hackers handbook” (https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
- Pentest monkey will be helpful for some reverse shell cheat sheets (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
- Deserialization attacks on .NET (https://www.youtube.com/watch?v=eDfGpu3iE4Q)
- Deserialization on several coding languages (https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
OSWE is a very good course for people looking to improve their source code review skills as well as learning how to detect bugs and vulnerabilities by searching for them in the code itself. I would recommend that you book your exam not long after your lab time ends, so that the information you have learned will be fresh and ready to be used. Overall I enjoyed my OSWE experience and would therefore recommend it to others.
- Blog post by Motaz of Telspace Systems