2022 is off to a great start for me – I recently passed my Advance Web Attacks and Exploitation (AWAE) exam and earned my Offensive Security Certified Expert (OSWE) Certification.
Background
I previously achieved my OSCP (Offensive Security Certified Professional) in 2018 and knew then that I wanted to ultimately earn my OSCE (Offensive Security Certified Expert). However, I had other commitments – I was enrolled in both Oregon State University Post-Bacc in Computer Science Program and the SANS Institute’s Graduate Certificate for Penetration Testing. I had other commitments and had to put my goal of earning OSCE on hold.
In August 2021, I had completed by SANS graduate certificate program and most of my courses for OSU (I’m currently completing my final class) and I had extra bandwidth to again pursue my OSCE.
The AWAE is one of three certifications needed from Offensive Security to achieve OSCE – the other two being OSEP (Offensive Security Experienced Pentester) and OSED (Offensive Security Exploit Developer).
Who is Offensive Security
If you’re not familiar with Offensive Security, they are the company responsible for creating the most popular Linux Distro in use for penetration testers and security practitioners – Kali.
They also provide training and certifications in the various field of penetration testing, e.g. windows/linux/Mac exploit development, black box penetration testing techniques and methodologies, web application penetration testing, etc.
Offensive Security certifications are arguable the most well-respected in the INFOSEC community – even by those who scorn certifications.
This is because you are required to demonstrate hands-on practical ability to launch a successful penetration test.
The AWAE exam is a proctored exam where you’re given access to a VPN with vulnerable web applications. You’re required to identify the vulnerabilities in those web applications and write your custom script to exploit them. There are no hints and you can’t phone a friend.
What is AWAE
Anyone who has take other penetration testing courses know that the field is very broad – there are different phases/aspect of a pen test engagement. AWAE is focused solely on exploiting Web Applications.
In the Penetration Testing With Kali Linux (PWK)/OSCP course, the approach was from a black box perspective – you had no prior knowledge about what services the VMs were running. You were taught the process of scanning, enumerating, then exploiting machines.
In AWAE is a course in white-box penetration testing. You know the vulnerable service is a web application and you’re given access to source code.
In the PWK/OSCP there were 40+ machines to exploit, in AWAE there 6+. The number of targets is smaller, but you’re digging through thousands of lines of code to discover vulnerabilities.
AWAE/OSWE differs from PWK/OSCP in that you write your own exploit – typically in python. The general strategy is exploit authentication then achieve a shell, i.e. remote code execution.
The instructor walks you through on processes and methodologies to identify vulnerabilities in the different web applications and how to exploit them.
If PWK/OSCP is a mile wide and one inch deep, then AWAE/OSWE is a mile deep and one inch wide.
Recommended Pre-requisites
AWAE is an advanced course, if you’re new to cybersecurity or penetration testing, this is not for you. I recommend you have a baseline level of knowledge and skills prior to taking the course:
- Scripting Language, recommend Python
- Needed because you have to write your own exploits for the exam
- Python recommend because this is what’s used in the course
- Understanding of routes/endpoints in web application
- Preferably familiar with one web application framework, e.g. nodejs express, django, php ruby on rails
- If you know one, that should give you sufficient exposure to understanding how web applications are built,
- General understanding of vulnerabilities in Web applications e.g. sqli, xss, csrf, etc.
- no need to be an expert, you’ll get tons more instruction during the course
- Understand how to read regular expressions e.g. “.*?var.*?sql.*?=.*?query.*?
- Be comfortable using IDE for debugging e.g. Visual Studio, or Eclipse. In the course you’ll be debugging in VS Code a lot
- Foundational understanding of programming:
- Control Structures (if, while, for, etc)
- Data Structures (dictionaries, lists, arrays, etc)
- Data types (strings, ints, floats, booleans)
AWAE Exam
As stated before you have 48 hours to exploit a certain number of vulnerable web applications. You have another 24 hours to write a penetration testing report.
- The exam is proctored, you’ll be required to verify your ID and to perform a sweep of the room you’ll be taking the exam in.
- Take breaks regularly. Examining thousands of lines of code will wear you down quickly. During the first day I took an hour long break roughly every four hours. In the second day, I needed a 10-15 minute break every hour. I probably could’ve planed breaks a better
- Do plan to get one solid block of sleep. I did not execute this properly, learn from my mistake. I was in bad shape during the second day.
- You can’t have your phone with you in the same room.
- You’ll need to notify the proctor anytime you leave and return to your computer.
- Don’t get stuck going down a rabbit hole. If an avenue you’re going down an avenue that you thought might lead to an exploitation but doesn’t, don’t be afraid to take a step back and examine another route.
- Take down notes about your thoughts and methodology on the vulnerabilities you discovered.
- TAKE SCREENSHOTS REGULARLY! It’s easy to get caught up in the engagement. Don’t be that guy who get all the ‘proof.txt’ and ‘local.txt’ files but forgets to take screenshots showing how you got them. You will fail if report is lacking.
Conclusion
I was really happy with the course, I learned tons of new techniques and methodologies to exploit web applications. I absolutely feel that I came away from the course a more knowledgeable security practitioner – both in theory and in practical, hands-on application. I think it was money well spent.
I expect that I will be enrolling in the OSEP course in the near future and the OSED following that. God willing, I’d achieve those two certs and become an OSCE.
Thanks for visiting,
Cheers