NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

Video: AWAE/OSWE For Humans

This blog is a personal account from Reando Veshi of preparing for and taking the OSWE (Advanced Web Attacks and Exploitation) exam. Reando shares his experience along with tips that helped him in his journey.

This will be a thorough review, not focused on giving information about the exam that you can find in so many other reviews, but more of tips and tricks that led me through it, all seasoned with some healthy humor.

Key Concepts for OSWE

  • What do I need to do to deal with the OSWE exam? 

  • Besides a miracle of Medjugorje?

Let's start from the beginning.

What is OSWE?

Advanced Web Attacks and Exploitation (WEB-300) is an advanced web application security course that teaches the skills needed to conduct white box web app penetration tests. 

What you need to understand about the OffSec Web Expert (OSWE) exam is that it is not a sprint race like an OSCP can be, but more like a marathon, where perseverance and good management of time, strength, and focus can get us to the end of this exam.

The proper use of these components, obviously seasoned with the preparation we will discuss shortly, are the keys to passing such an exam, a 48-hour exam.

Like all OffSec courses, the course provides slides from which to study and videos from which to learn the techniques needed for the exam.

You will cover all the big vulnerability classes and lesser-known ones you usually don’t encounter in your daily bug bounty business. Some of these are:

  • Authentication Bypasses of all kinds
  • Type Juggling
  • SQL Injection
  • Server-Side JavaScript Injection
  • Deserialization(java, .net) 
  • Server-Side Template Injection
  • Cross-Site Scripting 
  • Server-Side Request Forgery
  • Prototype Pollution
  • Classic command injection

I recommend only taking the course if you have a strong foundation in programming first.

Before taking the course and starting studying, I did an analysis of the course syllabus of those points I might be lacking, and there it was, the big monster: C#.

In my professional life, I have dealt with C# from a code review point of view a few times. I've always been involved in pentesting, and for the last couple of years, I've moved into application security, where I've been eating and drinking JAVA every day, sometimes talking to PHP and Node.js, and in short, Python is our baby for any pentester who wants to be a real pentester.

So that left him, C#, this big monster, although in the end, having JAVA on my side could help me conquer this sacred monster.

Preparing for the AWAE/OSWE Exam

How to overcome this obstacle? 

Simple, I bought a course on C#. This course would teach me from the basics to the most advanced features, including debugging.

Any advanced C# course on Udemy is fine; otherwise, a first reading of the following courses:

Let's say you are confident with C# and maybe not with node.js, php, python or JAVA(divine monster).

Allow me to introduce you to the holy grail to better prepare you. 

Since I learned about SecureFlag about 2 years ago, my knowledge and wisdom of code review has increased by leaps and bounds. I was still working in Oracle when I needed to improve my code reading skills and find vulnerabilities.

SecureFlag is a 100% hands-on Secure Coding Training platform for Developers, DevOps, and QA engineers. Very good, just what I needed.

Warning!!! 

To take this exam, I'm not saying you have to be a developer for years or know how to write code with your eyes closed, but knowing how to read code, debug, and find and identify vulnerabilities is 90% of the course(code review).

With a partnership with OWASP, if you have an OWASP email, you can register on SecureFlag for free and have the essentials available to learn how to find vulnerabilities in various languages and the remediation part.

Just what was needed. We have labs available for JAVA, Node.js, Python, PHP, and even he, yes, .NET.

Plus, on SecureFlag, you can find many other labs for languages, frameworks, and technologies.



You can find a lot of workshops in different languages based on various difficulties that can help you learn how to recognize code vulnerabilities and the remediation part.

After finishing the course and all the material given by OffSec, I finished all the labs by doing them twice. The first time solving and taking notes. The second time by trying to automate them.

REMEMBER: To pass the exam, you must also create a script that automatically does authentication bypass and RCE itself.

Of course, I could only opt for our love, python (I heard many also use GO for the exam, a great alternative).

After booking the exam, I didn't stop and looked for particular challenges that could put me in view of the exam.

I found some good challenges thanks to William Moody; you can find his VMs on GitHub:

While waiting for the exam, I continued to review and do CTF and everyday web hacking challenges, blackbox style, to stimulate the idea and review.

Of course, I relied on dear PWNX, where you can find a lot of web challenges in the premium package.

 

The Day of the Exam

I booked the exam at 7 am to start fresh. I decided to leave and tackle one app a day, being 2 apps to hack on the exam and 1 a day to get OSWE out of the way. 

Starting with the first app, within 8 hours, I completed the machine, exploited everything, and got the two flags.

During the first day, I took multiple breaks for coffee, smoking, and eating, and in the afternoon, I also rested for about 3 hours.

I came back at 2 a.m. The first day I trudged a bit in writing the script. I wanted to do 0-click, where I had to launch it, and everything automatically came up with the reverse shell. 

At about 3:30, I finish, get those few screens I missed, relaunch the script one last time, and slump into the couch for a long sleep until 11 a.m. the next day.

Awakened, and with coffee in hand, I approached the second machine.

After several pauses and prayers, I exploited the machine and got the 2 missing flags.

All this until 9:30 in the evening of the second day. I had already started the second script but decided to go and rest for a couple of hours and then come back and give the exam a single shot until the end.

I got to 6 a.m., where I had also finished the second script, half though because I had managed to get all 4 flags but still needed a reverse shell on the second machine. 

So everything had to be perfect; the scripts, screenshots, and notes I had taken had to be perfect to write the exams. 

At about 2 hours to the end, I had finished and checked the notes repeatedly. I don't know how many times I launched the scripts to ensure everything went smoothly.

I finished the exam with really tremendous satisfaction. 

I was confident about how it went, but the feeling this exam leaves you with is really something exceptional.

Lessons Learned

The time to take the exam is there, and it is correct. 

I noticed that comparing myself with colleagues and seeing other reviews about time management could have been better preparation.

As mentioned earlier, this is not a sprint race but a marathon. This is where consistency, focus, and how to optimize the timing reigns.

Another mistake I have seen made is lousy preparation. Do the labs twice; the scripting phase is crucial for the exam, even with scripts that automate everything. 

Knowing how to identify vulnerabilities, learn how to debug, and read code is the soul of this course and exam; read as much code as you can and practice with more white-box machines you find online.

Resources

Tools to learn

  • dnSpy – .NET decompiler
  • Python requests and exploit building
  • jd-gui for java
  • use Visual Studio Code regularly (many benefits; hotkeys and debugging, going to modules/references)
    • leverage Visual Studio Code SSH extensions
    • understand the launch_json files in Visual Code
  • Burp (set scope, intercept requests, manipulate requests…)

Cobalt Core Secret Sauce CTA Image 2022

Back to Blog
About Reando Veshi
I am a penetration tester and occasional bug hunter. As a lover of WebSec, I always like to find something wrong and fix it. I have been passionate about computer science since childhood and have been in the security world for five and a half years. I started studying IT many years ago in school and university, where I learned JAVA and C and PHP, Python, and Javascript during my career. I’m the founder of Pentesting Made Simple, an Italian community where we speak about Pentesting, Bug Bounty, and Ethical Hacking in general. More By Reando Veshi
Introduction to Serverless Vulnerabilities
Core Pentester Harsh Bothra introduces us to serverless vulnerabilities. He reviews the top 10 vulnerabilities and concludes with how to remediate them.
Blog
Nov 23, 2022