Hey there! I’ve recently completed the OSWE certification, and I decided to share my thoughts about the course, the labs, and the exam. After this Intro, the structure will be bullet-point-based.
“Offensive Security Web Expert”, or OSWE for short, is the most advanced web certification offered by Offensive Security (in 2023, at least), a notch above the OSWA (Offensive Security Web Assessor). The accompanying course is known as “WEB-300: Advanced Web Attacks and Exploitation” (AWAE).
The course approaches web application analysis from two different perspectives: white box, and black box. The black box scenario is when you’re trying to break into a web app without knowing much about it. It’s like most real-world pentestings where you’re clueless about the app’s source code. This is the point where the OSWA (the OffSec WEB-200 cert) focuses.
White box is where the OSWE challenge really begins. You have to analyze the source code of the applications, using debugging tools if neccessary. This gives you a unique perspective on how everything really works, which may be really valuable to find vulnerabilities.
Of course, if you want to know if some target is vulnerable just by reading the code, you need to understand what that code is doing. You don’t need to be the best programmer ever to get the OSWE, but you certainly need to understand several programming concepts and languages.
The OSWE course also covers the combination of different vulnerabilities to get full control of a system. Several examples of this are given in the course.
About the course
- The course includes 12 modules (plus Introduction, Conclusion and an archived module)
- Every module has a text version, plus a video version. I usually prefer text because I feel it adapts to my desired pace.
- The first module talks about tools and methodologies. It’s useful if you’re not familiar with web pentesting or code analysis, but it’s not really necessary if you have some experience.
- The rest of the modules analyze an application with detail, finding and exploiting different vulnerabilities.
- Some applications are analyzed from a white box perspective. Relevant sections of the source code are highlighted, and the “how” and “why” is vulnerable are explained.
- I’m not going though the syllabus, but you can check it here.
About the labs
- Besides the training material, the course gives you access to 15 lab machines (plus a retired one, corresponding to the retired module).
- Many of these machines serve as example of the theory, having the same vulnerable applications so you can replicate the exploitation.
- These “modules labs” are a nice exercise to practice the theory. They are not really hard (mainly because you already got the solution), but they give you a nice real-world perspective of the vulnerabilities.
- Other labs serve as an “extra mile”. They are not covered in the course and OffSec doesn’t provide any hints or solutions. You have to find the vulnerabilities by yourself. Completing these labs is not required to pass the exam, but it’s a good way to practice after completing every module.
- I think “extra mile” labs are not neccesary to pass the exam. In fact, I could argue that, of every OffSec course I’ve taken, the content of the OSWE course is the most “conceptual” one. You better understand the concepts and read the code to find how everything works. If you really understand the theory, you will be able to find vulnerabilities in the exam (and in real life, obviously).
About the exam
- OffSec policy about the “exam secrecy” is very strict so I cannot share specific details.
- You have 47h and 45 minutes to finish. After the end of the exam, you have 24 hours to complete and send a report.
- Proctored, as every OffSec exam. Your screens and your webcam are contantly watched by the proctor team, so you don’t cheat or get help.
- You need 85 out of 100 points to pass.
- The exam is really challenging, even when accessing the source code. Trying to find a vulnerability is hard. Trying to find an exploitable vulnerability, is quite a challenge.
- There are several rabbit holes… Some vulnerable code may not be exploitable, or maybe it looks vulnerable but it’s mitigated somehow somewhere else.
- You are required to provide a single script that exploits the whole system. This means that you need to chain several vulnerabilities inside the same script, and OffSec is very strict about this. If you are not used to program web exploits, you should practice before the exam.
- I can say that the exam was frustrating… But, in the end, it was really fun. Just take it as a CTF and a learning experience, and you’ll be fine.
How was my exam
- I started at 20:00h.
- I explored everything I had for around 4 hours. I took some notes and prepared the debugging environment. Then, I went to sleep. End of Day #0.
- The next day, I woke up early, got some coffee, and started working. I chose one of the given targets and started working on it. I dedicated a really long time trying to comprehend how everything was working. Finally, I got some points for my first target.
- During the rest of the day, I didn’t get any more points. I lost a lot of time trying to exploit several rabbit holes, and after reading every line of code I had and not getting anything, I got really frustrated. I decided to call it a day and go to sleep after more than 16 hours of work. End of Day #1.
- The last day I woke up early, got some more coffee, and got at it again. After a nice night of sleep, ideas were clear in my head. I made a diagram of every vulnerability I found in the code, marking whether it was exploitable, or not, or unknown; as well as the affected code and the related web app endpoint. After a full day reading and processing the source code, this came easy. This diagram was key to my progress.
- That day, after generating my awesome exploitation diagram, I only needed around 8h to get every flag of the exam, 100/100. I even had extra time to craft my report, so I didn’t need to work on it the next day. End of Day #2.
- Rest frequently. I crearly could think better and progressed more when well rested. Even if it’s just a walk around your room, or just the time to make yourself some coffee. Just stop looking at the screen for some minutes.
- Also, sleep well. A good night of sleep is not wasted time. Sometimes ideas just come up from a well rested mind.
- Progress is not linear, at all. I spent the first half of the exam trying to understand the code, how everything worked, how it was connected. Once you get a grasp on everything, then you can find vulnerabilities and try to exploit them. I got most of my targets in the last 8h of exam.
- Take notes. Reading hundreds of lines of code is hard enough, don’t make it worse. Note suspicious code fragments, weird behaviors you need to investigate inside the code, why you think something may or may not be vulnerable…
- Relax. For real, it’s just an exam. If you fail, you can try again. If you pass, you’ll get a nice cert. If you don’t, you’ll get a nice learning experience. Just enjoy the ride. You’ll get a better experience and better results if you just relax and enjoy the process.
- I enjoyed the course, but I enjoyed the exam even more. It was really challenging and kind of fustrating (so many rabbit holes, dang it!), but in the end it was really fun.
- If you are not familiar with web pentesting, you should start with another web pentesting course (maybe the OSWA?). The OSWE is not for beginners, and it expects you to have solid knowledge about web applications hacking concepts.
- If you have no idea about programming, the course may be a little hard to follow. If you want to get the OSWE, you should, at least, understand the basics of programming. Reviewing code is not easy even if you know how to program, so you should be prepared.