An AWAE/OSWE Review (2020 Update)
In 2019 Offensive Security made a big change to their OSWE course by moving it online, whereas previously it was only available once a year in person at Blackhat USA.
The original release consisted of 7 modules spanning a 250-page lab guide. Then in July 2020 they expanded it to 10, bring it the total pages up to 400.
I signed up for the OSWE back in early July, just before the update was released and I have to take a moment to say that Offensive Security were fantastic. They upgraded me to the new content part way through the course for no extra cost and gave me a free month of lab time to cover the transition.
So today I’m going to share my experiences with the AWAE Lab, give you some tips for the OSWE exam, and provide my (with hindsight) recommendations for how to prepare for the course.
Preparation Recommendations
It should be noted that even with the new modules, the AWAE course is primarily centred around white box code review. This means you’ll need to understand how to read code. And while you don’t need to be an expert, proficiency in the general language structure of PHP, Java, C# and JavaScript will be hugely beneficial to you.
Additionally, proficiency in writing python code will be very useful. This should be at least the OSCP exploit writing level. Some good gauge would be to practice writing a python exploit using the requests library to exploit the SQL injection and read usernames from the database in the Damn Vulnerable Web Application.
Having a basic understanding of how SQL Injection, Cross-Site Scripting, Type Juggling, Server-Side Template Injection, XML Entity Injection, Malicious File Uploads and Deserialization work will also put you in good stead to begin the course.
I have to confess I didn’t actually do any preparation for the course and found that my existing experience of 4 years of web application pen testing and tool writing experience was sufficient. But the above would be my recommendations for those that wish to prepare or do not have existing industry experience.
The AWAE Lab
The AWAE lab now consists of 10 modules, 1 tool preparation and 9 exploit walkthroughs. 8 of these are white box code reviews, and 1 is a black box assessment. Each one walks you through a full exploit chain, from unauthenticated access to full remote code execution on the box.
Each module contains both a written guide and videos to walk you through each step. Each module also has additional extra mile goals which you can complete to supplement your learning with Offensive Security’s traditional try harder approach. I found completing these extra miles extremely valuable, as a number of them taught skills or tricks that were useful in the examination.
The new content which was added in the 2020 update was also particularly interesting, focusing on abusing password reset functionality and showing how certain implementations can be insecure. It also expanded on the number of exploit classes in the course, which was a welcome addition to rounding of the original course by including real world examples of Server-Side Template Injection and XML Entity Injection.
As I went through the course, I made 3 note files for quick referencing.
· A note of all the tips and tricks which were taught to us.
· A note of grep commands to search for different exploit types in the source code.
· A note of more generic steps on how to approach a white box code assessment.
I found these very useful in the exam and would suggest finding a similar system which works for you.
The updated course also includes 3 lab machines which there are no guides for, to help simulate a fresh white box security assessment and prepare you for the exam. I never actually used the boxes, and my approach was to take a shot at the exam, and if I didn’t pass, I would have gone back and looked at these machines to help prepare for a second attempt. Fortunately, I never needed to do this as I passed on my first attempt.
The OSWE Exam
While I can’t say too much about the exam, I think it is safe to say that the new modules included in the 2020 update are very useful to help you prepare for the exam. An ex colleague of mine who bought the course but didn’t complete the exam in 2019 asked me if he should purchase the course upgrade, and I wholeheartedly recommended that he should, as the exam would have been much more difficult without it.
For the OSWE exam itself, I’m not sure if my experience is typical, or even recommended. I finished in 36 hours, and drunk 6 cans of energy drink and 4 iced coffees in the first 24. It took my body a few days to recover following the exam, as I was buzzing, and my sleep pattern was completely messed up!
I started at midday, worked for 16 hours until 4am in the morning, then slept for around 5 hours. At this point I had completely finished the first of the exam machines, achieving 50% of the marks I needed to pass. I had also read through the codebase of the 2nd machine.
By the time 24 hours was up I had achieved enough for the 85% pass mark, but then spent another 12 hours getting full remote code execution on the final box to hit 100%. I then wrote the first draft of my report, and sanity checked it the next day. Write high (on caffeine), edit sober!
This definitely wasn’t the healthiest approach the exam, but it meant I finished 12 hours early, time which I would have been extremely grateful for if I was still grinding away.
This was my approach, but you are an adult, you can make your own choice on how you want to approach and divide your time during the exam.
For the duration of the attempt, the proctoring software recorded me through my webcam and also recorded my desktop screen. You’re required to notify their staff whenever you leave your desk. You are allowed to turn off the proctoring software when you go to sleep, which also disconnects you from the lab VPN.
My generic tips for the exam would be:
1. Your allowed to mount the exam machines filesystem for grepping and opening files in your favourite editor.
2. Take your time to read the source code and understand the flow of an application before diving into searching for bugs.
3. Certain exploit types are associated with certain languages and don’t exist in others.
4. Prepare by doing as many extra miles as you can.
Final Thoughts
To conclude I would like to thank Offensive Security for another fantastic course. I really think they are one of the best providers with the most valued certifications in the industry.
I would wholeheartedly recommend the AWAE course and the OSWE certification to anyone working as a penetration tester or security consultant. It’s a great training course to either upskill or prove your existing application testing skills. I guaranteed you will walk away with a few more items in your arsenal and a few more tricks up your sleeve by the end of it.
I also found it gave me the confidence to dive into source code review. Actually, while taking the course, I was on a black box web application assessment where Burp’s active scan found a path traversal file download. I used this to download the applications source code and found a number of critical issues using white box methods. But more details of that will have to wait for a (heavily redacted) future post.
I also like to think the certification helped in landing the new job I secured a few weeks ago. I’m actually making the move from consulting to an internal red team, which I’m incredibly excited about. I have some exciting new adventures on my horizon! So, until next time, over and out!
