Offsec AWAE/OSWE

I recently had the opportunity (read: time) to take some training and get a new certification. I looked at the many offerings available, substantially more than when I took OSCP 10 years ago. Ultimately chose to return to offensive security and take Advanced Web Attacks and Exploitation course which leads to the Offensive Security Web Expert certification.

Why OSWE?

I’ve always been drawn to web applications and so much of the things we do run on the web. I’m super interested in systems exploitation as well, but after coming off a stint as a full time Go/Python developer I felt the white box approach was an area in which I would excel. Additionally, while browsing job listings, I notice Offensive Security’s certs listed more frequently than I see other, comparable, certifications. While I don’t expect companies to be tripping over each other to hire me because of this cert, I do hope proving I have these skills will at least get me in the door to a few more places and help me land a job I actually want.

My AWAE Experience

Since I was bankrolling myself, I only signed up for 30 days of lab access. Thinking I could purchase additional time if I felt that I needed it (I didn’t). After receiving my course info, VPN connectivity pack, etc.. the first thing I did was schedule my exam. If you’re on any kind of schedule, I suggest you do the same. The first available exam was 29 days out. I grabbed it.

The course material was delivered as a lab guide pdf and a set of videos packaged with an html document to make it easy to watch the content. I pushed the files up to my home lab so I could watch from anywhere on my internal network. This was actually very helpful as my methodology for taking the course was something along the lines of:

  1. Casually watch an entire section
  2. Read relevant section in lab guide
  3. Re-watch the videos while following along in the demo
  4. Do extra mile challenges from lab guide

Having the videos easily available made it so I could do the first “casual” watch at my leisure. I could then make efficient use of the few post bedtime, quiet, “get shit done” hours I get each night.

I won’t go too much into specifics about the course content. Offensive Security’s official info covers it well. I would, however, point out that the prerequisites should be respected. That’s not to say you need to be fluent in .NET or know all the good parts of JavaScript, but you need to be able to read these languages and understand what is happening. Be ready to look up references for libraries and functions you don’t know.

In addition to their prerequisites, I would suggest you have a firm grasp on an IDE of your choice. The course presents alternative tools (grep, notepad++) for searching code bases, however modern IDEs are EXCELLENT at this kind of thing. Want to know where a function is defined? Right Click > Go To > Implementation. Want to know where a function is used? Right Click > Find Usages.. you get the point. Modern tools exist. Use them! I was raised in a JetBrains shop and really like their products. VS Code will work just as well if that’s your thing.

I would also add that you should be familiar with debugging code. Setting breakpoints, watching variables, stepping in, over, or out of function calls. These aren’t such complicated things that you couldn’t learn them as you go, but if you want to come prepared spend an evening tracing through some code if you’re unfamiliar. Again, a good IDE comes in handy here.

During most of my 30 days leading up to the exam, I spent anywhere from 2-5 hours working on the material. There might have been the occasional night where I slacked a bit, but I tried to make it a point to be consistent.

Exam Day

The OSWE exam is 48 hours. That’s right. 48 hours. If you come to this having sat an OSCP exam you might find this extremely daunting. I did. I remember the 24 hours of OSCP exam being a grueling fight to the very end. If OSCP is a sprint, OSWE is a marathon. That is to say, in OSCP you have a lot to do in a very short period of time. It’s doable, but you have to push. OSWE, I found, was more relaxed. Work diligently, take breaks, eat a meal, get some sleep. You’ll be able to finish. That’s why you have 48 hours.

When I started my exam, I was at another property I own that is currently vacant. It was going to be great. Empty house, a large pizza, some drinks… I was set. There’s no internet there but I was going to tether to my phone. I work remote and have used VPNs tethered to my phone quite a bit with no issues. “It’ll be fine“, I thought. It wasn’t. I went through the initial steps with the proctor but when I connected to the VPN things just didn’t work. My ping was going through the roof, and my upload speed was almost non existent.

The clock had started at 8:00 PM and continued to run while I packed everything up and moved to my “Plan B” location… my parent’s house. Overall that little mishap took about an hour and in the rush I dropped my monitor on the gravel driveway. This kills the monitor. The clock continued to tick.

Once I was back online and given approval by the proctor to continue. I was able to start in earnest at around 9:30PM. I made good progress and worked for about 8 hours before I slept for 3 hours. Then back at it for a long 18 hours. I did take breaks during that time, ate dinner with my folks, got some fresh air a few times. After that, around 2am at the beginning of the second day I’d done it. All tasks were complete. I rested for about 5 hours then returned to make sure I had captured all the documentation I wanted to be able to prepare my report.

I logged out of the VPN with 8 hours still on the clock. Later that night, I began my report. I spent at least 10 hours writing it over the next 24 hours and it weighed in at a whopping 57 pages. That may have been a bit excessive, but I wanted to leave nothing to chance. I mostly wrote the report in the same style the lab guide was written in. Kind of like a lecture where I’m explaining where the vulnerable code is, how you can make it run, how to exploit it, and what to do next.

Overall. I had a blast taking this exam. I really enjoy bug hunting, writing and reviewing code, and of course, popping shells. The exam gave me a great excuse to do just that for almost two days.

Proctoring

A brief note on proctoring. I found it to be completely non invasive. I hid the window and would only bring it up when I needed to send the proctor a message. At the end of the exam, I apologized for making them watch me shove pizza in my mouth and dance in my chair.

Results

I submitted my exam on a Tuesday and received my results the following Monday night. I’d passed. I expected I would but there’s always that bit of uncertainty.

Recommendations

If you’re interested in discovering and writing vulnerabilities for web apps and you’re not afraid of staring at source code all day, this cert is for you. Don’t expect to use flashy tools to scan networks and pop shells. Instead, expect to be looking at an IDE and BurpSuite.

If you plan on taking it, make sure you’re comfortable with everything OffSec mentions and give thought to my additional prerequisites above.

Do everything. If you just walk through the exercises, I don’t think you’ll gain a whole lot. Do the exercises and then do the extra miles. The extra miles are where you actually learn.