← All posts
cybersecurityoswecertificationreview

AWAE & OSWE — A Review from a Software Developer

· 4 min read

AWAE Icon

AWAE

The Advanced Web Attacks and Exploitation (AWAE) course by Offensive Security focuses primarily on white-box penetration testing. It is more akin to code reviews that software developers frequently go through than the black-box reconnaissance that the OSCP was like.

The syllabus for the AWAE course sums up what is learned. However, I really felt like they should have dived into vulnerabilities using popular web frameworks such as Django, Rails, Angular, or Express.

Studying for the OSWE

I signed up for 90 days of lab time. In hindsight, this was overkill. But given that the OSCP took me just shy of 5 months to get, I didn’t want to take any chances.

My course material and lab started in the beginning of August. I studied around 5 hours a day and completed the majority of the PDF and videos by the 20th day. By the time I attempted my exam, I had finished all but one of the extra-miles and completed all of the exercises and lab machines.

OSWE Exam Booking

I signed up for the OSWE realizing that I wanted to get it done before my classes resumed in September. So I quickly booked my exam to start at 5pm on a Monday, which gives me until Wednesday at 4:45pm to hack the two web applications. Surprisingly, there were no hiccups in booking the exam and there were many slots available.

OSWE Exam

My exam began with the usual check-in process to make sure the proctors could see my screens and webcam. I was emailed the exam connection at 5pm sharp.

First machine

The first machine took me until midnight to figure out the path to full remote code execution. It took me until the next day to get everything coded up in one exploit. This machine in total took me around 7 hours (minus sleeping at night).

Second machine

The second machine was what really tripped me up. I went through the source code many many times, reading every single line over 2–3 times, yet still couldn’t find anything to exploit. While I was lying in bed at 3am with my mind racing through everything I had seen in the source code, something peculiar jumped out at me — I quickly realized it was the missing piece of the puzzle. So I jump out of bed, try the idea I came up with, and it worked! After waking up, I quickly write the proof-of-concept script and fully finish the machine by 12pm. This machine took the longest at a full 24 hours.

Conclusion

Was this certification worth the money? Probably — if I had gone with the 30 day package instead of the 90 day one. Since I already had a lot of development experience doing code reviews and creating web apps, it took me much less time to digest and understand the material.

My (Opinionated) Advice

I: Build a methodology

Have a methodology and stick to it. Here is mine:

  1. Make sure to record all traffic through Burp
  2. Make sure you know where the log files are (if any)
  3. Check all public web pages
  4. Check all authenticated web pages — note authentication endpoints (login, password reset), admin areas, file upload, forms, restricted areas
  5. Prioritise unauthenticated functionalities, then authenticated ones like password reset and session management
  6. Check for SQL Injection on publicly accessible endpoints
  7. Check for programming-language specific issues (e.g. readObject in Java, eval in JavaScript)

II: Take breaks

Take breaks often. I cannot stress how often I came up with ideas during my break time versus staring at the screen.

III: It’s not over until it’s over

When I couldn’t find any way in after a whole day of looking, I was demoralized. But by the 26th hour, I found something I had accidentally overlooked. Don’t give up.

IV: Do everything in the PDFs

Do all the exercises and extra miles. Seriously.

V: Treat the exam as a learning experience

You don’t fail by failing the exam. You only fail when you give up.

Thank you for reading! I hope to learn much more in the cybersecurity space and hope to record this journey in my blog!