Long gone are the days of multiple-choice question exams and memorizing lesson material just long enough to gain a certification—that’s been the case in the penetration testing community, at least. Such a shift is particularly evident in the well-renowned trainings offered by Offensive Security, and their latest course is no exception. When I came across the Offensive Security Web Expert (OSWE) certification, I was immediately drawn to the promise of becoming a true web app exploit guru, and, spoiler alert—the certification delivered.
Before sitting for the exam to become certified as an OSWE, students must complete the Advanced Web Attacks and Exploitation (AWAE) course and lab environment, which is geared towards seasoned penetration testers looking to take their web application pen testing skills to the next level. This certification takes a white box approach—that is, discovering vulnerabilities from source code—and is equally valuable to professionals responsible for the overall security of a SaaS solution. Along with the knowledge of how to chain multiple vulnerabilities to achieve a greater impact, the AWAE course provides great insight into the development process and thorough understanding of how to spot common mistakes made by programmers—this all while also taking a deep dive into source code review and mapping out how to write advanced web app exploits. Moreover, if you’ve never performed manual SQL injection before—shout out to SQLMap—you will have it down by the end of this course.
Having recently completed the lab and successfully passed the exam, I can personally attest to the many ways this course has positively impacted my day-to-day work as a penetration tester. I can also speak to the fact that this is not an entry-level endeavor, and the following guide is intended to help aspiring OSWE candidates prepare for the course and make the most of their time in the lab.
What to Expect
First, the basics—the course is purchased with a package of 30, 60, or 90 days in the lab, and covered in the cost are the fees for your first exam attempt. The material provided is comprised of a 270-page PDF course guide, 6-hour video series, and a virtual lab environment, which work together to produce a step-by-step guide on how to exploit the vulnerable web applications hosted in the lab. And although the training is without a doubt top-notch, I found that additional independent research was required to fully digest many of these advanced topics. Furthermore, you can expect to spend 80-150 hours of studying before moving on to the rigorous 48-hour exam, depending on previous individual experience with both web app exploitation and source code review. To get a better, more specific idea of what is covered in the course, take a peek at the AWAE Syllabus.
Preparing for the Course
While the AWAE itself absolutely delivers an immersive learning experience chock-full of real-world vulnerabilities, including everything needed to pass the exam, you will have a greater chance of passing on your first attempt if you take the time to prepare for the course itself. This is especially true for those who have not spent significant time in both the programming and penetration testing worlds.
In order to go in as primed as possible prior to beginning the course, the curated links below provide valuable insight into the necessary tools, languages, and vulnerabilities.
Burp Suite – Before the course, understand how to set up a temporary project and capture web traffic in Burp Suite Community Edition. Research how to set the scope, intercept requests and manipulate requests using repeater and intruder.
Sublime Text – As stated in the OSWE Exam Guide, the course includes developing custom applications to automatically exploit the vulnerabilities discovered. Though various Python scripts serve as starting points for each exploit throughout the course, each student is ultimately responsible for writing unique code to generate working proof of concepts. As such, having an IDE to check your code for syntax errors and misspellings will likely save hours of frustration. (NOTE FROM THE AUTHOR: You are permitted to write these exploits in any language of your choosing; however, I recommend sticking with writing Python in the free Sublime Text IDE if you do not have a programming background.)
dnSpy – The AWAE does a fantastic job breaking down how to decompile .NET code, set breakpoints, and analyze functions in dnSpy. However, for those who would like to research this tool before starting the AWAE, check out these links:
(NOTE FROM THE AUTHOR: I had no prior knowledge of this application and found that the course provided more than enough material to feel comfortable.)
Reverse Shells – The ultimate goal of web application exploitation is to achieve remote code execution (RCE). For those without a penetration testing background or knowledge of the OSCP, take steps to learn how reverse shells can be uploaded and executed on a webserver. Before the course, understand the types of shells, their targeted frameworks, and their dependencies.
As the course is intended to teach how to perform source code reviews in search of vulnerabilities, it is imperative to understand how to follow the flow of code execution within a web application. At a minimum, have a firm understanding of the concepts below before starting this course--these concepts differ syntactically between languages but remain the basic building blocks of programming.
Required Programming Concepts
|Concept||What You Should Know:|
• How are they declared?
• How can they be casted/converted to other data types?
• Which data types have the ability to hold multiple sets of data?
|Variables & Constants||
• Why do some data types need to be dynamic?
• Why do some data types need to remain constant?
|Keywords||• Which words are reserved and why can they not be used as a variable or constant?|
• How is data compared to create logic?
• Which operators are used to make these comparisons?
• How does logic branch from an if/then/else statement?
• What are loops primarily used for?
• How is a loop exited?
• How are functions called?
• How are they called from a different file in the codebase?
• How is data passed to a function?
• How is data returned from a function?
|Comments||• Which characters denote the start of a comment?|
Required Web App Concepts
|Concept||What You Should Know:|
• How do web apps ensure user-provided data is valid?
• Which types of data can be dangerous to a web app?
• What kinds of databases can be used by a web app?
• How do database management systems differ?
• How does a web app create, retrieve, update, or delete database data?
• How does a web app authenticate users?
• What are hashes? Why is data often stored as hashes?
• How does an app compare a cleartext password to a hash?
|Authorization||• How does a web app verify a user has the privileges to access a function or part of the app?|
• Which web technologies maintain a user’s session?
• How does a web app set a user session?
|File Input and Output||
• How does a web app write and read files on the local system?
• How does a web app prevent certain filetypes from being uploaded?
|Language||Sample Project for Code Review|
• Beginner: simple-php-website
• Advanced: Fuel CMS
|ASP.NET & C#||
• Beginner: SimpleWebAppMVC
• Moderate: Reddnet
• Beginner: Employee Database
• Moderate: JS RealWorld Example App
• Beginner: Java Web App – Step by Step
• Advanced: GeoStore
The AWAE does a great job of explaining the exploitation process of each vulnerability found in the lab. For those students with prior web app pen testing experience, do not expect these concepts to be overly difficult to grasp. Instead, the material will further reveal why the vulnerability exists from a coding standpoint and how the vulnerability affects a given framework—such an approach will expose just how many vulnerabilities could not have been discovered using a black box approach. In truly understanding how an application is written, it’s necessary to identify gaps in logic that can be exploited. For a refresher before starting the AWAE, the following resources may help:
|Cross-Site Scripting (XSS)|
|Blind SQL Injection|
|PHP Type Juggling|
|Business Logic Vulnerabilities||• KBID – Auth Bypass 2|
|File Upload Vulnerabilities||• Zorz VulnHub Writeup|
My Course Approach
If you’ve prepared for the AWAE in the way I’ve outlined above, you will feel largely comfortable with the material when you see it. The course maintains a natural progression, starting with an introduction to the tools you will be using, how to configure them, and how they are used in the context of web exploitation.
The key to learning this material effectively is to attempt each step of the exploitation process before you are taught how to do it, which is exactly what you would do in a real-world assessment when the answers cannot be found on the next page. Once a vulnerability has been identified, perform independent research to uncover how to exploit it. Challenge yourself to spend a minimum of thirty minutes attempting each step without looking at the answer because personal ability to engage in critical thinking and draw from previous experiences will be tested during the exam. Some more specific tips:
• As you prepare your Kali VM, it is important to only use the tools shown in the PDF course guide. For instance, if a chapter is using Linux utilities (grep, find, vim/nano) to discover and review code, ensure you are doing the same.
• Fight the urge to import an entire codebase into your preferred IDE, as you will not be permitted to download source code from the challenge machines in the exam environment. You are, however, permitted to use an IDE on your host machine to write exploits for the vulnerabilities you discover.
• Complete the “extra mile” exercises found at the end of each section, and complete them as they are reached, rather than go back after you’ve completed the entire course. These self-directed exercises will prepare you for the arduous task of writing custom exploits.
Finishing the Race
If you're like me, the OSWE exam will likely be among the most difficult technical challenges you come across during your tenure in the information security community. The greatest advice I can offer is that maintaining a hyper focus on the exam objectives will mean all the difference, as there are countless opportunities to go down rabbit holes or to explore sections of code that do not align with the challenges you are tasked with completing. With more code than one can comprehensively review in a 48-hour window, it is necessary to make logical inferences as to where the vulnerabilities may reside.
Despite the looming difficulties, the exam is absolutely worth it. Looking back, my experience was incredibly rewarding and personally fulfilling. If you are looking for your next step to progress as a web application penetration tester, I wholeheartedly recommend pursuing the OSWE certification.
About the AuthorMore Content by Nathan Rague