My OSWE journey

Advanced Web Attacks and Exploitation (WEB-300) is an advanced web application security review course. It teaches skills needed to conduct white box web app penetration tests. Students who complete the course and pass the exam earn the Offensive Security Web Expert (OSWE) certification, demonstrating mastery in exploiting front-facing web apps.

Honestly for my case, OSWE has been a certification I have been running away from for a long time after my OSCP because of the high development background it requires. But I had no choice but to face it when the old OSCE certification was revoked and replaced by  OSCE3. OSWE is now one of three certifications making up the new OSCE3 certification, along with the OSEP for advanced pentesting and the OSED for exploit development.

My OSWE journey started by the end of December 2020. I was getting ready to move from China to Benin when I bought the course with the purpose to start in the middle of February 2021. When I started the course and the lab, I learned many things. I was particularly happy to learn how to exploit blind and time based sql injection. I even had opportunities to exploit them in a live environment for web penetration activities. Indeed, I was recruited as senior cyber security analyst at bjCSIRT, and in my daily tasks, I was called to perform penetration testing on web apps. Even if the journey was hard, I learned much.

OSWE teaches where and how to detect bugs in web application code, this is called code review. One of the most vulnerability covered is authentication bypass and this is done in many languages such as PHP, java, .NET. The process to detect bugs is methodic, strategic and time consuming. But once the process is known, the remaining work can be easy. WEB300 course teaches a way to exploit automatically with a script (focus point on python language), what is done manually.

Initially, I bought the course with a one month lab, but I realized at the end of the month that it was not enough. Nevertheless, I’ve built my own local lab at the end of the lab period to practice more and also to test the script I’ve built  and customized  to look for the different vulnerabilities learned (sqli, magic hash etc). The practice period was long because of the complexity of some topics of the course which was a bit tough for me to assimilate. When I felt more ready(around august 2021), I bought another month of lab time and the understanding was this time, less hard. At the end of the lab, I scheduled my exam for the end of next september. The exam consisted of a 48h web code  review. Two machines are presented with the purpose to get Remote Code Execution (RCE) via an authentication bypass; presented as a first step. The most challenging thing is the fact that auth bypass and the RCE are linked, there’s no way to obtain RCE without successfully exploiting the auth bypass. Failing to detect one two auth bypass bugs (for the two machines) leads to failing the exam. During the exam, I really thought I would fail. The reality was more than what I was expecting. But fortunately, I managed to reach the blocking point on the second day of the exam.

Now when I am done with the exam, I can recommend it to anyone whose role is to review code for security purposes or to any web application pentester. WEB300 is more like whitebox, giving more ability to detect bugs compared to blackbox testing.

For the exam, I will suggest not to limit on what has been taught in the course, but to go beyond, the vulnerability might be less complex, but being vigilant is imperative. Python scripting skills with requests library is a very important skill to learn and to master without tempting to sit for the exam. Every step performed from the authentication bypass to the remote code execution must be scripted in only one scripting file.

A very interesting machine on vulhub that may help in the preparation is “secure code 1” which is available for free at https://www.vulnhub.com/entry/securecode-1,651/. 

For anyone looking to pass this exam, I wish a very good luck. The journey might be hard depending on the skills you don’t yet have but the arrival will be beautiful !