Become a Partner
Add OffSec to your list of training providers
Partner with usOffSec's new course and certification helps open doors to an exciting cybersecurity career.
Blog
Jul 7, 2020
In this post Mihai gives us a review of his experience with the Advanced Web Attacks And Exploitation course after obtaining his OSWE certification.
6 min read
Originally published on May 10, 2020 and has been republished with consent from the author, Mihai.
I recently earned my OSWE. As always, I used the last few days before the exam to read reviews about other people’s experiences. I couldn’t find many articles about this course, so I decided to write this review.
I’ve been in the infosec industry for about one year and a half. I’m a high school student, so all my experience mainly comes from CTFs and HTB. I also hold the OSCP cert, but I wouldn’t consider it a prerequisite for this course.
AWAE is an advanced-level course, so there are some prerequisites. Most of them are listed on OffSec’s site:
I need to point out that knowing a scripting language is essential: during the course and the exam, you’ll be expected to write code that exploits the vulnerabilities you found. Being familiar with a language like python (and its requests library) will give you a considerable time advantage during the exam.
Unlike PWK, the number of lab machines is very small. The manual covers the exploitation of 5 web applications, and that’s the number of VMs you’ll get access to.
In each chapter, there are some exercices which will help you determine wether you understood the concepts being taught or not. There are also some “extra mile exercices”, which are much harder than the normal ones. I highly recommend at least attempting to solve those, as you’ll definetly learn something new from each of them.
Even though I didn’t manage to finish all the exercices, I think 30 days are more than enough to finish the materials. After all, the result only depends on the amount of practice you put into the skills being thaught. The manual isn’t very long and you should finish it in about 3 weeks (without the extra miles) going at a slow pace.
Here comes the fun part. The 48-hour hands-on exam is the highlight of the AWAE course. I tried to book my exam when my course was about to end and the nearest date was 2 months from then, so scheduling yours as soon as you get the link is a very good idea.
Note: Due to Offensive Security’s Academic Policy, I’m not allowed to go into much detail here. The things you find below can also be found in some Reddit threads.
On the exam, you’ll be given two VMs running two web apps, each containing an auth bypass and a remote code execution vulnerability. You’ll also be given creds for two debug machines which can be used to view the source code of the previously-mentoned apps and debug them. You won’t need to copy any application files to your local machine – the debug VMs will have all the tools you need. In order to pass the exam, you need to score 85 out of the 100 possible points.
I once read an OSCP review having one of these and I thought it was cool, so here’s my AWAE exam timeline:
AWAE is not an entry-level course. While it is as challenging as you would expect any OffSec course to be, I am the living proof that you can pass it on your 1st attempt. Like the OSCP, the exam feels a lot harder than it is before you take it and a lot easier after you passed it. I really enjoyed going through the the course and taking the exam – which felt like a long, well-made, memorable web CTF. I would recommend this course to anyone who wants to sharpen their skills in web aplication testing – and anyone who likes hard challenges.
Now, if you’ll excuse me, I have to catch up with my schoolwork.
Until next time, hack the world.
yakuhito, over.
Free Download: Web Application Security guide