AWAE/OSWE Review

About 2 years ago, I heard about the AWAE course for the first time. This was when OffSec announced that it’s going to be an online course instead of in class. 

I had my OSCP 1.5 years earlier and I have decided that the OSWE would be my next challenge. The reason for that was an unfulfilled passion for web application security which I had little hands-on experience with. Most of my experience was focused on infrastructure and network security, although I did have a good understanding of the theoretical concepts of web security.

Also, In the past I had experience with writing some C# code and some powershell, bash and python scripts (which is crucial when you are thinking of taking this exam) but in order to pass this exam, I would have to be able to read and understand code written in PHP, C#, Javascript (NodeJS) and Java.

Since I knew that in order to pass this exam I would have to learn and practice very hard, I didn’t have the chance to do it due to career paths and some happy life events that required my full attention.

In Oct 2020, I decided that this is the right time to register and I started my AWAE journey. I registered for the 2 months lab time knowing I won’t have too much free time during regular week days. Looking back, this was the right decision for me.

Course experience:

After reviewing the course materials, I felt very good about it. The coverage of the web vulnerabilities and the exploitation process was pretty wide but also, pretty deep.

Almost all of it was covering known CVEs of different web applications, some were easier to understand and some were more complex. The amount of exercise given for each module is enough for my opinion and some of the exercise were called “extra mile” which basically means you will have to do some more independent research in order to pass them successfully (Make sure you do all of the exercises, this is key if you want to pass the exam).

Since I didn’t have too much of hands-on experience with web app security and especially in white box approach, I feel that I have learned a lot of new things like how to decompile and debug an application, techniques of locating and exploiting vulnerable pieces of code in a fairly large code base and of course, automating everything (mainly with python). Also, I learned about pretty awesome vulnerabilities that I never heard of before like “SSTI”, “PHP Loose Comparison” and “Type Juggling” (shame on me!) 

Exam – general:

I can’t say too much about the content of the exam due to copyright issues. Offsec have published this information and it is recommended to read it before your exam. I can say this in general – this was the hardest exam I did by far and also, this is the achievement I am most proud of.

Make sure to be ready for a 48 hours of a proctored exam, meaning, your webcam will be on and your screen will be watched the entire time. Having said that, it is okay to take as many breaks as you like as long as you update when you are taking one and when you are back.

Exam first attempt:

Day1:

On the day of the exam, I wasn’t sure that I’m ready and I was extremely nervous. I started the exam at 9:00am and it takes 15-20 minutes to pass the proctoring tests (make sure you are following offsec’s instructions before the exam in order to be sure you won’t have problems).

The first couple of hours were pretty much useless since I was very nervous but after that, I started to feel more comfortable and I was able to find some interesting information, yet not something I could exploit.

After trying to exploit a certain path for 3-4 hours, I felt I’m stuck and I decided to move on and try a different approach. This was a good decision. After 3-4 hours, I was able to find the first vulnerability! This was very satisfying, I felt like all of the hard work finally paid off and that I’m on the right track. With another 4-5 hours, I was able to find another 2 vulnerabilities and at that point, I started to take some screenshots and put everything I managed to do so far into a single script. The process of writing the script was pretty hard since I hardly took any break since morning, and after straight 12 hours of being in front of the screen I was exhausted! I decided to take a break, then worked on it for another 2-3 hours and then, at about 2am, went to sleep.

Day2:

I woke up at 7:30, had something to eat and went right back to the point I left it – finalizing the script for the vulnerabilities I found so far . I have to say that I was surprised by the amount of effort it took me to automate the whole process. Although I had some good scripting skills, it took me a good amount of time to finally come up with a script that works flawlessly, but eventually, I managed to pull that off and at about 11:30am, I went back to find some more interesting stuff since I still didn’t clear enough points in order to pass the exam.

Since I was able to find some interesting information in the first 3-4 hours of the first day, I had a clue what I should find but I just couldn’t find a way to exploit it! Before starting my exam, I read a lot of good exam overviews, and all of them warned about “rabbit holes” – a place you could easily burn down several hours without getting any progress! Well, I was reading the code of the application over and over again, trying to figure out where this vulnerability was hiding. 

At about 21:00 I was completely exhausted and I had no energy to continue. I tried to give it a last try but I almost fell asleep on the keyboard so I decided that that’s it – I will try harder next time.

I have registered for another attempt which was 4 weeks later (the minimum you have to wait between 1st and 2nd attempt). During this time, I was working pretty hard to reread the whole course materials and also, reading and researching more thoroughly about all of the vulnerabilities in it.

Exam second attempt:

This time I was much less nervous since I knew exactly what was waiting for me. I made sure to sleep well the previous night and in general, took more breaks and rest during the day.

This approach worked. I was able to locate and exploit all of the vulnerabilities and submit my report after 36 hours!

Luckily, I didn’t have to wait too much for the results and my mind was blown away when I read the first sentence of the email I got from offsec:

Some tips:

  1. If you don’t understand something in the course materials, please do yourself a favour and do some research in order to fully understand it! Google, OffSec’s forums etc.
    This is crucial in order to get ready for the exam.
  2. Make sure to complete all of the exercises in the course (especially the “extra miles”)
  3. I think that it would be extremely challenging for someone without any knowledge in web security or PT – you would have to be able to read code and understand how it works and what is the flow.
  4. Practice your python scripting! Make sure to be able to write scripts that interact with web applications (GET, POST, sessions management, uploading files etc.)
  5. Working with Burp Suite is a key factor, if you are not familiar with it, make sure you do.

Useful resources:

  1. I found these challenges useful since it’s not easy to find solutions for them and some of the practices here are pretty good: https://www.root-me.org/en/Challenges/Web-Server/
  2. Magic hashes: https://offsec.almond.consulting/super-magic-hash.html
  3. In general – google everything you are not sure about! There are literally hundreds of resources available on the internet about almost everything, use it!