Hi everyone, In this article, I will talk about which topics should be focused on "Offensive Security Web Expert (OSWE)" certification program, what is briefly in "Advanced Web Attacks and Exploitation (AWAE)" training and what their contributions are.

First of all, I would like to mention two important points that I think would be more beneficial than OSWE which is the subject of this article.

I - Do you think our perspective on certificates is correct?

According to my little experience from my environment and my two-year brief cyber security life, the point of perspective on certificates is not correct at all :) So it's very important that you pay attention to what I have to say.

The biggest mistake is that certificates are viewed as shiny, glittering papers that will earn higher money and open new business doors. Is that a wrong idea? No, that's true :) Of course, institutions and organizations attach great importance to these certificates for a good job and high earnings. Because hard to take them. If the person has obtained important certificates, they also represent person knowledge. However, the mistake is to accept this as the primary purpose in obtaining the certificate. If the first purpose is not to improve yourself, unfortunately generally the certificate process is going through fail. Even if successful, the level of knowledge is not progressing enough..

The main objective in entering the certification process should be the difficulty to learn new information. I mean; You register for certification at a certain cost and set up a work plan to make this process well. You do everything that you believe should be done by reading the full documentation of the training in order not to fail the exam. When you prepare for the exam, you learn terms and topics that you have not heard before. You research for important points you don't know and take notes. Would you still make this plan if you weren't involved in the certification process? would you try to find and finish any documents/resources? would you know which subjects you should actually learn? If you ask me, I say very unlikely! This is why the certification process has really given a great purpose.It forces us to learn informations we don't know. Therefore, we can see certification as a work plan for a specific purpose, not as a piece of paper. My advice is to register for such certification programs if your budget is sufficient. In the background your brain will warning you constantly and this will be your source of motivation.

II - Is the WEB easy to say?

I'm going to be a little criticize, but in the cyber security industry, I see that the WEB is underestimated by many. However, if a remote server is to be compromised, this occurs through 90 percent of the web because the external (remote) access point to the target system is usually only the web application. Therefore, web security is very important. Aside from being underestimated, 9 out of 10 people you meet may be web security experts. This approach stems from the fact that everyone in the industry has been involved in web design (creatation may be more accurate) at least a few times. If a person is able to create a web site, we can easily call her/him a web security expert. Although I cannot give a full meaning, I think that the main reason is that WEB is the first structure that people encounter in internet technology. Because people think they're usually experts in anything they use for a long time. Unfortunately, realistically you can see that this is not the case.

The reason I touched on this is, If you say "I'm already a web security expert.", do not get involved in OSWE certification. Because you can be slapped. The answer is, "Yes, the WEB unfortunately easy to say." If you are not in love with the WEB, the OSWE certification process can overwhelm you and even break your current motivation. I underline that you should be hungry for the WEB and I continue the article.

I will try to give as much information as I can with the headings below. I hope that will be useful.

- Do other certificates need to be obtained before OSWE?

- What's in AWAE training content?

- Suggestions

- What you need to know about the exam

- Things to need to be mastered before the exam

# Do other certificates need to be obtained before OSWE?

Many sources say that the OSWE certificate should be obtained after OSCP/OSCE. Those who obtain these certificates are passing the announcement as "My next goal is OSWE". I think not necessarily. Because these certificates are completely different.

There is an exploitation of web applications in OSCP, yes. However, this is asked in an automated manner. You will not be prompted for any advanced web, such as developing any exploits or finding a new vulnerability with source code analysis. The exploitation of web application and service vulnerabilities in OSCP is of the same logic and consists of exploiting an already existing vulnerability with the pentest methodology and exploit code that is already published. I should also add that OSCP is a certification program in which every pentester must be included. It brings you the pentest vision and practicality. In addition, you get familiar with kali linux. Already OSCP is intended to perform penetration testing with kali linux.

But OSWE is a very different certification program. If we change the question as "Is it useful to get other certificates before OSWE?", that's when I say yes. At least you've seen previously discovered vulnerabilities and types in web applications In other certifications, you have the opportunity to examine exploit codes written to vulnerabilities and they provide background on how the working logic is. How to create payload while exploiting a vulnerability in a web application? and how to execute the command on the server? You can obtain basic answers to questions about the final stages of exploitation with them.

Nevertheless, I have to say that the WEB itself is a very different world. For this reason, I do not think OSCP is essential. OSCE certification includes web exploitation, but not like OSWE. I am currently in OSCE certification. So I didn't take OSWE after OSCE :) Therefore, it is not necessary to take OSCE too. In short, you do not need to have other certifications to get OSWE, but if you have them you will of course benefit.

# What's in AWAE training content?

Unfortunately, I am not able to talk about the content of the training because it is unethical. But I believe I will provide enough information.

The course syllabus is shared by OffSec. You can access via the link below

  • >> AWAE Syllabus
  • In addition, the vulnerable applications and versions used for the topics to be explained in the training were previously shared in the github environment This information can be found at the following addresses.

  • >> Project AWAE-PREP
  • >> Project AWAE-Preparation
  • The training content is prepared by Steven Seeley (mr_me). Therefore, I think it is useful to read the blog posts he has shared. You can access his personal blog at srcincite.io.

    In general, the main topic to be transferred you is to execute commands on the server with web applications. The training trying to show how vulnerabilities can be converted to RCE or which types of vulnerabilities can lead to direct server contact. It is also mentioned how to exploit these vulnerabilities.

    The training also provides information on source code analysis. it also focuses on code tracking to discover vulnerabilities and which functions developers can leave vulnerabilities. In fact, we can say that they wanted to provide training to discover vulnerabilities from scratch and exploit them.

    # Suggestions

    If you are not in love with WEB, I suggest you to register to different certification programs. Before entering the certification process, people should be familiar with popular vulnerabilities in web applications. Because in AWAE education, the basic logic of vulnerability types like XSS,SQLi,RCE,SHijacking etc. are not explained. You should be master the logic and discovery processes of many types of vulnerabilities.

    For example, details of database languages such as MYSQL, PostgreSQL or MSSQL are not provided. This means that you must have already used these database languages to exploit SQL injection vulnerability, and at least have exploited these database languages in several types of SQL injection vulnerability. Because you will see only a few different exploitation techniques in training.

    One of the most important thing is exploitation. You need to have information in advance to automate vulnerabilities My suggestion is to use libraries that can make requests to the HTTP protocol for popular languages such as python requests-httplib-httplib2, ruby net/http-HttpClient, javascript XMLHttpRequest.

    The other issue to be dealt with is to know which subjects you should focus on. If you do not study on the right things, you can extend the process and process become irreversible. In the first place, you should identify issues that you are not familiar with and you should work on these issues separately from certification training. You can continue the certification process as soon as you think you have the necessary prior knowledge. This way you can easily capture the points which they want to give to you.

    Personally, my ASP.NET knowledge was weak before and I spent about a month working on this core structure. Then I return to the main issue and continued the journey through security source code analysis. You should also work on your weakest software languages to improve. Then you can continue the certification process. A building with poor foundation can collapses during an earthquake. A information with poor foundation can collapses too. So you need to solid foundation before you get a high level of knowledge.

    # What you need to know about the exam

    There are five different machines in the exam.There are two different target machines, one windows and one linux server, and two copies of these machines for debugging. The credentials of the copy machines are provided to you. The fifth machine is the Kali Linux machine that you can use if you wish during the exam. The information for this machine is also provided to you.

    Each machine has one web application written in different languages.What you are asked to do is to examine the source codes of these applications on copy machines and discover the vulnerabilities that are specifically placed. Then you should attack the target machines and capture the flag inside the proof.txt file with these vulnerabilities.

    Your first goal is to become an authenticated user in application. (Authentication Bypass). Finally, you should execute command on the server with a different vulnerability in the application. (Remote Code Execution). Source code analysis, vulnerability scanning or automated exploitation tools are strictly forbidden in the exam. Fully manual performance is required. Each AB worth 35 points, while each RCE is worth 15 points. You can reach a maximum of 100 points in total. The base of the exam passing score is 85. So you have the luxury of not being able to discover only one RCE vulnerability. It is also desirable to exploit the vulnerabilities discovered on at least one of the specified machines by combining them as oneclick in any language of your choice.

    The total duration of the exam is 48 hours. If you pass the exam, an additional 24 hours reporting period is provided.

    # Things to need to be mastered before the exam

  • You should be able to perform code analysis on applications written in PHP, Javascript, ASP.NET, Python. (Very important)
  • You should master on MySQL, MSSQL and PostgreSQL which are popular database languages.
  • You should have the knowledge to exploit the types of vulnerabilities manually.(Automatic tools are not allowed in the exam.)
  • To exploit the vulnerabilities discovered, you should have at least one of the following languages: Ruby, Python, Perl. (Very important. Because even if you have discovered the vulnrabilities, you can not get points if you can not exploit them.)
  • You should master different techniques and vectors for command execution on the server. (Even if the vulnerability is discovered, the payload/vector exploitation required to execute the command must be appropriate. Otherwise, you may not be able to execute commands.)
  • That's all I wanted to talk about. You can leave your questions and comments about OSWE in the comments field below. I'il try to answer as much as I can. I hope it has been a useful article.

    Ambitious days ;) (AkkuS)