Shortly after earning my OSCP I wanted to someday continue that push through the Cracking the Perimeter/OSCE certification as well. I never got around to it, and then OffSec retired that course while releasing AWAE(now WEB-300)/OSWE (and EXP-301/OSED), which I immediately also wanted to do. Part of my prep for a major certification is to Google up all sorts of reviews and posts about the certification and what other study materials and tips and insights other students found useful. This includes blogs, reddit posts, forum posts, and anything else that I could find or dig through. As such, I did plenty of this as preparation for the AWAE (WEB-300). I still plan to pursue this someday, but for now I wanted to share what I had compiled into my personal notes.
Some of these things I may have gained knowledge of through other less formal means over the past few years or just outright completed without really planning it, but AWAE is still pretty new and all of these resources are likely still relevant.
That said, never let too much preparation get in the way of getting access to the course and the labs for practice. You don’t just get sent off straight into an exam, and can always put that part off for later if some gaps in knowledge continue to linger.
Lastly, it should go without saying to click links below at your own discretion. All are external to this site.
My Goals
- level up my hands-on web app pentesting
- code review skills looking at vulnerabilities
- writing exploits for web app vulnerabilities
- actionable python (requests, etc)
- learn much more about .NET, C#, nodejs, php, and some more on java…enough to feel comfortable reading source code and tracing requests and parameters
- more familiarity with Visual Studio Code, debuggers
I do like to write out goals, as they do a few things for me. First, the goals help make sure I’m aligning my certification path and the preparation towards it with what I hope to get out of it. Second, it helps give me an idea what the certification path is all about, so that I can slot other possible preparation topics into it. In other words, managing expectations and summarizing the output.
This is my initial seeding of research and prep
- https://hub.schellman.com/blog/oswe-review-and-exam-preparation-guide
- https://medium.com/@klockw3rk/offensive-security-advanced-web-attacks-and-exploitations-awae-what-you-need-to-know-349933b72d24
- https://www.reddit.com/r/OSWE/comments/k0gcrm/awaeoswe_review_from_nondeveloper_perspective/
- https://blog.kuhi.to/offsec-awae-oswe-review
- https://www.reddit.com/r/OSWE/comments/ioj8gb/passed_oswe_taking_questions/
- https://medium.com/greenwolf-security/an-awae-oswe-review-2020-update-6d6ec7a80c1f
- Java coding, PHP, Microsoft MVC, C#, JavaScript, Python web requests handling
- WAHH Ch 19 and 21
- https://www.offensive-security.com/documentation/awae-syllabus.pdf
- https://forum.hackthebox.eu/discussion/2646/oswe-exam-review-2020-notes-gifts-inside (+thread)
- https://www.reddit.com/r/OSWE/comments/i0p187/failed_my_first_attempt/
- https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/
- Maybe I should do websec academy from port swigger first? Also pentester academy.
- https://www.reddit.com/r/OSWE/comments/jyr7sj/source_code_revie_methodologies/
- https://www.youtube.com/watch?v=F46tQww_IvE
- https://stacktrac3.co/oswe-review-awae-course/
- https://github.com/wetw0rk/AWAE-PREP
- https://github.com/timip/OSWE
- https://www.youtube.com/watch?v=ElZ7fFE9Gr4
Preparation Checklist
This is my reviewing of the above items and setting up some semblance of a plan. Considering what this cert is, I definitely don’t see myself signing up for this until the latter half of 2021. Worst case scenario, I am not entirely prepared, but sign up for the course anyway and either put off or fail the exam. Either way, I still come out of that with some learning, and extra time (and less stress based on deadlines), and a good idea of my next steps.
General things I need to do:
- learn what MVC and OOP really mean
- Python, writing small scripts to deliver exploits, handle requests <–should be comfortable with this
- C#/.NET
- nodejs/Javascript
- php
- java
- learn debugging and decompiling tools, dnspy, de-gui
- regex
- more SQL injection
- do various vulnerable web apps
- Visual Studio Code
- SublimeText
- brush up on various in-scope web app vulnerabilities types
- comfortable debugging the above on Windows and Linux, or at least aware of techniques
Actual things to do
- check out practice labs: https://twitter.com/trouble1_raunak/status/1361652466006315010
- book: WAHH ch 19 and 21
- course: portswigger’s web app academy
- course: pentesterlab
- pentesterlabs XSS-to-RCE exercise is very helpful
- do other exercises again
- do code review badge again?
- challenges: https://edabit.com/
- challenges: do wetw0rk php challenges before lab!
- challenges: do wetw0rk javascript challenges before lab!
- vuln app: do DVWA
- writing python scripts for DVWA exercises
- vuln app: do bwapp (or bee-box for preinstalled VM)
- vuln app: owasp juice shop
- vuln app: vuln web apps like ospaykj? oscode for nodejs and oscode for c#?
- vuln app: https://wiki.owasp.org/index.php/Category:OWASP_Code_Review_Project
- vuln app: nodejs https://github.com/snoopysecurity/dvws-node
- vuln app: https://github.com/appsecco/dvna
- challenges: pentester academy WAP challenges
- book: check red team/blue team books on the languages or tools to be used
- book: check any other debugging books I have for tools, ways to decompile or debug apps
- book: check any other web app books I have
- challenges: TJNull’s playlist for OSWE: https://www.youtube.com/playlist?list=PLidcsTyj9JXKTnpphkJ310PVVGF-GuZA0
- challenges: some vulns to read up on or even practice: https://github.com/timip/OSWE
- challenges: https://hackxor.net/
- vuln app: OSCode for .NET framework? <–still not sure what this is
- read: https://owasp.org/www-project-security-knowledge-framework/
- compilation: https://www.yeahhub.com/vulnerable-web-mobile-os-projects/
- challenges: game of hacks http://www.gameofhacks.com/
- challenges: tryhackme – may be some relevant things here
Tools
- dnSpy – .NET decompiler
- Python requests and exploit building
- know python requests inside and out, especially the session object
- https://requests.readthedocs.io/en/master/
- de-gui for java?
- use Visual Studio Code regularly (many benefits; hotkeys and debugging, going to modules/references)
- leverage Visual Studio Code SSH extensions
- understand the launch_json files in Visual Code
- learn some SublimeText (for python)
- Burp (set scope, intercept requests, manipulate requests…)
Languages / major themes / skills
- c# .NET MVC
- look into how MVC works
- C# in an hour: https://www.youtube.com/watch?v=gfkTfcpWqAY
- asp.net MVC in 1 hour: https://www.youtube.com/watch?v=E7Voso411Vs
- https://codingo.io/reverse-engineering/ctf/2017/07/25/Decompiling-CSharp-By-Example-with-Cracknet.html
- beg/advanced projects to review: https://hub.schellman.com/blog/oswe-review-and-exam-preparation-guide
watch: https://www.youtube.com/watch?v=Xfbu-pQ1tIc&list=PLwvifWoWyqwqkmJ3ieTG6uXUSuid95L33 - learn how to debug applications, echo variables, trace, decompile if necessary, etc. (interpreted=print, compiled=step)
- nodejs -> javascript
- nodejs crash course youtube (traversy media)
- javascript for pentesters (Pentester academy)
- https://github.com/wetw0rk/AWAE-PREP/tree/master/JavaScript%20For%20Pentesters
- beg/advanced projects to review: https://hub.schellman.com/blog/oswe-review-and-exam-preparation-guide
- learn how to debug applications, echo variables, trace, decompile if necessary, etc. (interpreted=print, compiled=step)
- java
- beg/advanced projects to review: https://hub.schellman.com/blog/oswe-review-and-exam-preparation-guide
- https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/
- https://github.com/wetw0rk/AWAE-PREP/tree/master/Understanding%20Java%20Deserialization
- learn how to debug applications, echo variables, trace, decompile if necessary, etc. (interpreted=print, compiled=step)
- know how URL routing works in each of the languages
- SQL scripting
- php
- laravel (mvc) -> php – understanding routing
- beg/advanced projects to review: https://hub.schellman.com/blog/oswe-review-and-exam-preparation-guide
- https://github.com/wetw0rk/AWAE-PREP/tree/master/Understanding%20PHP%20Object%20Injection
- https://github.com/wetw0rk/AWAE-PREP/tree/master/%5Cdev%5Crandom:%20Pipe
- https://github.com/wetw0rk/AWAE-PREP/tree/master/XSS%20and%20MySQL
- learn how to debug applications, echo variables, trace, decompile if necessary, etc. (interpreted=print, compiled=step)
- learn how requests are routed
- learn what OOP is
- regex filtering/validation
- django (mvc) -> python – understanding routing
- learn how to debug java, .net, php, and node on windows AND linux
- learning debugging, oop, mvc in java, nodejs, php, and c# (and how to read variables out of them)
General techniques to know about
- blind sql hunting (sqlmap)
- php type juggling
- common vuln examples: https://hub.schellman.com/blog/oswe-review-and-exam-preparation-guide
- reverse shells: https://highon.coffee/blog/reverse-shell-cheat-sheet/
- upload insecure files: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files
- read examples here: https://stacktrac3.co/oswe-review-awae-course/
- read examples here: https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/
Pre-course things to revisit before purchasing the course
- read the footnotes and links, do the extra miles!!!
- define a methodology: blackbox the app first, then white box source code (grep/ngrep?)
- set up kali and note strategy
- read offsec faqs and guidelines for course and exam
Lastly, make a list of things from the above to review halfway through the course, and another list to review before scheduling the exam.