My OSWE journey
As of 2021-08-07, I am officialy OSWE (Offensive Security Web Exploitation) certified. I must be lucky when it comes to Offensive Security exams, because I received my notification of a pass less than 24 hours after submitting my exam report.
It was a bit easier to believe I passed, because this course was completely without my set of skills that I’ve developed over a number of years.
What is OSWE
Advanced Web Attacks and Exploitation (WEB-300) is an advanced web application security review course. We teach the skills needed to conduct white box web app penetration tests.
What I took away from the course
Being a developer for most of my life, and spending a lot of time on web application projects these last few years, I was looking forward to this course.
There wasn’t anything new that I could see in the syllabus, or at least not something I haven’t researched or played around with before in a CTF competition.
What was great was to sit down and experiment with the techniques in a lab environment, and not be pressed for time like you are in a CTF normally.
As what I’ve become used to, the course materials were laid out well. Each of the modules teaches something different, and it goes into great detail how or why a vulnerability is a vulnerability.
There are plenty of exercises to test what is being taught, as well as
extra-miles exercises. To complete these you need to go and research a bit further. It’s worthwhile doing these as it forces you to research the concept of that chapter or section. It’s also good preparation for real world examples, because you are faced with various issues (such as encoding over HTTP) that you need to figure out how to resolve.
I also used this time to build on my custom scripts that I’ve been using, in the hope they would come in handy during the exam.
I would estimate about 80% of the time during this course, you are reviewing source code, in order to identify vulnerabilities. I find it difficult to imagine how someone that has no development, or any coding, experience to get through this course easily. It’s also not just one language that you need to be able to read.
The LAB and challenges
There are 3 web applications that you are given, which you need to research and exploit. You can approach two of them as whitebox or blackbox, but the final one is blackbox only.
I enjoyed these challenges, and after finding initial vulnerabilities, I kept digging at the code finding more.
After I had finished my course notes and the challenges in a relatively short time, I had booked my exam. While waiting for the date, I kept looking for VMs to try and further practise on.
I came across these challenges by a fellow OSWE student. https://williammoody.com/challenges. I found these quite valuable for further practise.
I had to schedule my exam for a day where I would have to start at 03:00. I knew it was going to be a bit difficult starting so early in the morning, but I unfortunately didn’t have much choice. The night before I couldn’t sleep properly, too excited to get going. When the alarm went off to get up, I was ready to go though.
In hindsight, the very first thing I noticed in the source code, ended up being what I needed to exploit, but only did so about 12 hours later. I can’t really say where I made my biggest mistake, because that would give away a section of the exam. All I can say is I should’ve trusted my gut.
I was able to get everything completed without about 18 hours.
I went into the exam a little over confident, and after a few hours of not really progressing at the start I was stressing myself out for no reason at all. I decided to take a break after about 10 hours, and when I came back, everything just clicked for me.
I even had time to optimise one of my exploits to run better and faster.
There was also plenty of time to write a very detailed report.
You are given more than enough time in my opinion to successfully complete this.
All I can say about this is if you’re going to do all the exercises, and you do all the challenges and understand what is being taught, you will be absolutely fine in the exam.
People keep asking about the exam environment, and all the regulations and restrictions. All I can say, the same everyone keeps saying, is that on the day you receive your exam instructions, everything will be clear to you. You will be provided with everything you need to complete this.
I’m about to enroll in the Offensive Security Exploit Developer (OSED) course.