In this piece, Fortego Analyst Adnan Khan — who completed Offensive Security’s Advanced Web Attacks and Exploitation (AWAE) course and passed the Offensive Security Web Exploitation (OSWE) certification exam in November 2020 — answers some common questions on what CNO professionals should know going into the course and exam, including recommended skills, time management tips, and links to helpful resources.
Adnan also sat down for a 10-minute video Q&A that recaps the must-know info on the AWAE course and OSWE exam, and you can find it on Fortego U here.
AWAE Course Questions
Where can I find all the information, including how to register, for Offensive Security’s AWAE course?
The course overview and syllabus that Offensive Security provides on its website goes into the structure of the course materials pretty well, and it’s also where you can register. See the links below.
What did the more recent version of the AWAE course have to offer compared to past versions?
The course was updated in July of 2020, which added 50 percent more content to the course along with 3 custom challenge machines.
How does the AWAE course compare to Offensive Security’s other courses?
This course is, first and foremost, on white-box analysis of web applications in order to find vulnerabilities. This is quite different from a course like PWK and the associated OSCP cert, where you do not have access to source code of the target systems. One of the additions that came with the July 2020 update is a module on black-box testing, and one of the target machines in the lab does not provide access to the source code, but the rest of the material focuses on white box testing.
What’s the general methodology Offensive Security teaches on white-box testing?
This course introduces a methodology for white-box testing in the course modules that can be summarized as follows:
- Search source code for potentially vulnerable code
- Trace backwards to find web application end-points that can be accessed externally that will pass user-controlled data to previously found vulnerable code
- Send specially crafted input to try and exploit the vulnerability
This skips over more specific steps like bypassing input sanitization or handling payload formatting, but at a high level this is what the workflow is.
What would you say is one of the most beneficial takeaways from the course?
An aspect that stood out to me is that this course forces you to understand how a lot of the attack techniques covered work. I will use SQL injection attacks as an example. Prior to this course, after finding an SQL injection vulnerability in HackTheBox or a CTF, I would simply run a few canned payloads against it or use SQLmap (which is banned on the OSWE exam). I really did not think to understand how the injection point or the backing DBMS impacted the payload. This course forces you to gain a deeper understanding – expect to spend time reading over Postgres or MySQL documentation to understand query structure even after discovering an injection point.
How can I prepare for the course?
Prior to taking the course, it is helpful to have a familiarity with how modern web frameworks work. Source to sink analysis, which is tracing user control input through source code in order to determine if it is used in any unsafe manner is present in every part of this course. Understanding concepts like the MVC architecture will be critical for this course.
PortSwigger, which is the company that is behind Burp Suite provides a fantastic free resource for learning web application hacking, available here: https://portswigger.net/web-security.
Going through this should provide a sufficient level of comfort with Burp prior to taking this course. To go even further, the same exercises on the PortSwigger lab can be done using Python.
How much Python experience do I need?
Being comfortable with Python scripting is critical for this course. The exam will require development of “turnkey” exploits to achieve full points. If you are familiar with exploit POC code present on websites like Exploit-DB, this is the type of code that you will need to write during the exam. Essentially: run script, get reverse shell.
What you will not need to do is develop complete Python object oriented applications, so if you aren’t used to writing more than single file Python programs, do not fret. You will, however, need to make sure to be comfortable with the following.
- Be very comfortable with the requests library. Understand how it can be used to perform actions like multipart file uploads. In addition, learn about how the sessions functionality of requests can be used to interact with websites that require logging in and establishing a session in order to perform authenticated actions.
- Understand the difference between tuples, lists, and dictionaries in Python
- Know how to use the sub-process module to call out to external programs, provide arguments to them, and receive output.
- Understand string manipulation. Be able to write code to “fix” strings by cleaning up whitespace, escaping characters, etc. Since AWAE covers more advanced web exploitation, standard off the shelf payloads will not work and will likely require some processing.
- Learn how to read Python library documentation, so if you need to use a 3rd party library, then you can understand how to pass the correct parameters to class constructors and/or functions used in order to craft your exploits.
Do I need OSCP before taking the course?
Offensive Security recommends attaining the OSCP certification prior to taking the course, however for those of us that are already working in offensive cyber, this is not as clear cut. The course definitely assumes existing knowledge of pentesting terminology and attack types.
If you are able to complete recent easy/medium machines on HackTheBox, and are comfortable taking notes and writing up your methodology, then this will probably cover the PWK/OSCP portion of knowledge required for the course. There isn’t much overlap with the initial enumeration portion of the OSCP course (running port scans, etc.) so you can get away with being a bit rusty with those steps for the OSWE.
Who would benefit from this course (given that knowledge requirements are met)?
- Anyone interested in increasing their skills to participate in bug-bounty programs.
- Vulnerability researchers who want to analyze web applications (or desktop applications built using web technologies) for exploitable vulnerabilities.
- Web developers wanting to improve their understanding of web app security
- OSCP holders who want to work towards the “new” OSCE cert (which requires 3 certs: OSWE, OSEP, and a third to be released early 2021).
How much lab time should I get?
The course offers three tiers for lab duration: 30, 60 and 90 days.
Prior to the update in July 2020, the 90 day lab time was considered excessive, with most people opting for 30 or 60 days. After the update I would say that 30 days is too short unless you are aiming to dedicate 30+ hours a week to the course. I personally went for 90 days and was able to allocate an average of 12 hours a week to the course. By the end of the course I had done all of the custom boxes along with all but a handful of the “extra mile” exercises.
OSWE Exam Questions
How does the actual test-taking process of the OSWE exam work?
The OSWE exam is a 48-hour-long proctored exam. Following the exam, you have another 24 hours to compile and submit an exam report.
What tips would you give someone going into this exam in particular?
Pacing yourself is very important. Unlike the OSCP exam which very often requires a 20+ hour long race against the clock with no sleep, this exam is much more forgiving in terms of time. Still, I suggest planning to get at least 6 or 7 hours of quality sleep the first night because being fresh and functional the following day will far outweigh hacking through the night and running out of mental energy 20 hours into the exam.
I also recommend being mindful of rabbit holes and take good notes! It cannot be understated the value of documenting every approach, whether successful or not, because something that seemed like a dead end can end up being very useful later.
In addition, preparing your environment before jumping in and trying to hack boxes is an absolute must. The course covers tasks like setting up a debugger and enabling verbose logging for web frameworks and databases. These aren’t fun “code slinging hacker” tasks, but the course covers them for a reason, and you can bet that skipping these steps will lead to a rough 48 hours.
How did you schedule yourself for the exam from start to finish?
My timeline went as follows.
- Start Exam: Friday at 12 pm – All Day
- Sleep: Saturday at 12 am – Sunday at 8 am
- Resume Exam: Saturday at 8:45 am – All Day
- Finished Exam: Saturday at 10 pm
- Sleep: Saturday at 10 pm – Sunday at 6 am
- Submitted Report: Sunday at 9 am