I took the Advanced Web Attacks and Exploitation (AWAE) course in 2019 and attempted the exam first time in late 2019. That time I failed but booked another attempt and passed it. So, finally, I have the Offensive Security Web Expert (OSWE) certification.
I passed the OSCP exam earlier but this course was pretty different. I have a long history dealing with web application development and I have done a good amount of pull request reviews. Also, most of the vulnerability types covered in the course were more or less familiar to me. This perhaps made me think that the course is an easy one. However, while going through the extra miles of the course it became clear that I was wrong.
The most important thing to learn during the course is how to develop methodology to review large amounts of previously unknown code and spot potential vulnerabilities. There are a couple of tips and hints how to do that in the course material but there isn't any ready solution provided.
I won't say much about the exam. I believe it is possible to pass on the first try with the skills and knowledge learnt from the course and labs. However, it is not easy and requires a disciplined approach. Randomly skimming through the code won't be the way to victory.
Here are my tips
The common question is what next? I think I am done with certificates for a while. I have a CAN bus related hobby project starting, Disobey 2020 to attend and obviously doing some white box assessments with these new skills.
I passed the OSCP exam earlier but this course was pretty different. I have a long history dealing with web application development and I have done a good amount of pull request reviews. Also, most of the vulnerability types covered in the course were more or less familiar to me. This perhaps made me think that the course is an easy one. However, while going through the extra miles of the course it became clear that I was wrong.
The most important thing to learn during the course is how to develop methodology to review large amounts of previously unknown code and spot potential vulnerabilities. There are a couple of tips and hints how to do that in the course material but there isn't any ready solution provided.
I won't say much about the exam. I believe it is possible to pass on the first try with the skills and knowledge learnt from the course and labs. However, it is not easy and requires a disciplined approach. Randomly skimming through the code won't be the way to victory.
Here are my tips
- Get familiar with the common programming languages
- Learn grep and powershell equivalents
- Practise setting up and using debug tools
- Study common web application frameworks
- How does the login work?
- Session handling?
- Database access?
- Configuration files?
- Headers, cookies?
- Dependency management?
- Etc
- Eat, drink, sleep
The common question is what next? I think I am done with certificates for a while. I have a CAN bus related hobby project starting, Disobey 2020 to attend and obviously doing some white box assessments with these new skills.
Comments
Post a Comment