Offensive Security Web Expert (OSWE) – Advanced Web Attacks and Exploitation

0x00 Introduction

The Advanced Web Attacks and Exploitation, AWAE, course is mainly about code auditing and learning how to chain multiple vulnerabilities to exploit the target system. The objective is to expand and develop students knowledge about web application penetration testing and security research, including exploit development. Source code is either acquired by decompiling the target application with e.g. dnSpy or jd-gui, or just by reading the application source files that were supplied with the application (.php or .js) – files directly. Targets vary from .Net, Java, Javascript to PHP applications on the exercises and there are more that a few programs that are used for examining applications.

Course is a bit more on the advanced side and some skills you should have (in my opinion) are programming knowledge from PHP, Java, Javascript and.Net. Also, it helps to have, or at least develop, a decent method for searching vulnerabilities from large applications to narrow down the code that you need to go through. I Would recommend the course to people who work with code audits or penetration testing. The course is highly technical orientated and there is not much general discussion about code audits. It goes pretty much straight to the point.

As I was studying on my own time, I initially went for 90 days to have more than enough time to finish the course while doing it besides my normal work. I would wager that if you would do the course full time, you could do it in about 2-4 weeks, depending on your background.

0x01 Course material & labs

Course labs are very similar to OSCE labs. There are few servers running vulnerable applications and you have to re-create the exploitations against those servers and of course, you have full access to the lab servers to debug. The course documentation supplements the videos and vice versa. Overall, the materials are well done and they work great. I would have liked if there were more information about methodologies used for searching vulnerabilities from the code and some keywords for each programming language. But then again, a lot of stuff would be missed if there were straight answers to all the questions. As usual with Offensive Security courses, you should do some research on the topics covered in the course to get most out of it (not necessary, but I highly suggest to read and watch all referenced materials).

The most useful tools used in the course are (not in any ordered list):

dnSpy
jd-gui
grep
Burp Suite

I highly suggest to do all extra mile exercises and get very familiar with the tools used in the course.

0x02 The Exam

As always, not much can be said about the exam, but…Exam time is 47 hours 45 minutes and after the exam, there is 24 hour time frame, in which you have to submit the report back to Offensive Security. The exam is proctored and you have to have the webcam running and share the hosts screen to Offensive Security all the time you’re doing the exam. Before you start your exam, you will get a link to exam guide, I suggest to get familiar with it and check the suggested documentation templates, because they will tell what you need to put into your report. This also tells something about what you need to document about the exam. So it is better to get familiar with that guide and documentation templates so you have everything ready when starting to do the report. Try to avoid being sucked into the rabbit hole…

While doing the exam, I made a small break after every hour (about). And sometimes I took 1 – 2 hour breaks as well, took our dog (Hades) out for a walk, and slept for ~6 hours. I noticed that the breaks really did help and I got more ideas and didn’t get stuck while taking more breaks than in any other Offensive Security exams I have taken.

0x03 Tips and tricks:

Try to develop a methodology, that fits for you, to go through vast amounts of code.
Enable all debug logging e.g. to application and database(s).
If possible, add your own debug messages to applications.
Learn language specific dangerous functions and search for them.
Learn to use the tools used in the course exercises.
If stuck, take a break and re-check what you’re doing.
Run programs manually to view console log.
Take breaks and sleep properly.
Follow logs with e.g. tail -f bla.log.

Links: