The OSWE in Review.

The OSWE is the Offensive Security Web Expert certification you earn when completing the recently re-branded WEB-300 course (Advanced Web Attacks and Exploitation) and of course you also need to take and pass the fully-proctored 48 hour exam. The course uses mostly a whitebox/code review approach, where students are required to read and understand the code of different applications written in different programming languages such as: C#, Java, PHP and Javascript as we as SQL for databases.

As many of us did in 2020, we tried to keep busy and make good use of the time in those difficult moments, many opted to go for a certification, a course, a training or similar and the wave of posts and articles related to these achievements are a testament to this (and also part of the reason I delayed my own post).

A word about Application Security & Coding

Before we dive in! Cyber skills are in high demand these days and they will only continue to be for a long time in the future, the undeniable need of providing a secure online experience to the user coupled with an unstoppable digital transformation simply demands it. Note that this is true not only for Cybersecurity-related skills, but also for those related to Information Technology in general.

Within Cybersecurity, Application Security deals with all controls and practices around the conception, development and maintenance of secure software applications. Applications are not only ubiquitous, they also evolve as fast as technology allows it, everything you access through a web browser or your mobile device nowadays is an application. It’s only logical that most security efforts revolve around keeping them safe, even efforts in other areas such as infrastructure or networking are taken to ensure applications work correctly in the first place, needless to say that they are also important and require their fair share of attention.

Organizations as important as OWASP focus mainly on the security of applications (Web, Mobile, APIs, etc).

Underneath every single one of these applications we find their source code doing the “magic“, it is at this level where things get really interesting, every vulnerability in an application has it’s roots in badly written or vulnerable code, therefore being able to read and understand code is a vital Cyber skill for comprehensive application security. –To me, being able to read and write code is one of the most competitive advantages one can have in this field and it is a requirement for the OSWE certification too.

So, who should take this certification?

This is certainly not an entry-level certification, if you have application penetration testing experience or looking to work your way to application vulnerability research then this one is for you. For everyone else, I’m not looking to discourage anyone, but be aware that advanced coding skills are required.

Although their OSCP certification is not a requirement for OSWE, it is recommended to go for that one first, as it would give you a strong base for your pentest skills, you can think of OSWE an specialization into Web Applications.

This certification should be taken by individuals who know their way around source code and how to navigate long and complex code execution paths to search for vulnerabilities. Understanding concepts related to object-oriented programming, classes, fields, methods, interfaces, inheritance, polymorphism, overloads, overrides and others is also required to navigate the source code of different web applications.

It is also necessary to fully dominate at least one programming language as the course and exam requires you to write exploitation scripts that chain different vulnerabilities into RCE (Remote Code Execution), Python is the default choice here.

OSCP vs OSWE

There is no mystery here, they are completely different, OSCP gives you the basic abilities you need for penetration testing of networks, applications and operating systems, while OSWE is a head on dive into attacking web applications only.

Web applications is one of the topics in OSCP, OSWE deeply expands on it.

The labs are different too, when I took the OSCP certifications a few years ago (and note that I’m not familiar with the recent course upgrade) you had 50+ lab machines and at least 3 different network levels to play with, OSWE on the other hand, gives you only 7 lab machines with 8 different web applications to work with. Another difference is that the OSWE material walks you through all of the machines in the lab, while in OSCP you must conquer lab machines on your own.

Overview and Preparation

If you have had any experience with Cybersecurity certifications, then you might relate to those multiple choice and often tricky exams for which you need to consume large quantities of text in preparation (–CISSP and CEH comes to mind). Historically, these certifications have been considered gate-keepers, meaning that they are usually required to get pass the initial HR line. –I don’t really agree with gate-keeper certifications, but finally this seems to be changing into a more hands-on approach.

Technically-oriented certifications with fully hands-on exams on the other side, require students to learn and apply basic and/or advanced skills that are demonstrated in a fully-proctored exam. OSWE (and all of OffSec’s certifications for that matter) fall in this category. –I certainly prefer this kind of certs!

I prepared for this certification for about 5 months in total. The first 4 months and having a full time job, the available time was at night during business days; spending 6-7 hours on a good night and of course making the most out the weekends; where I would spend day and night in study mode. The remaining month I spent designing my own methodology to approach targets on a full whitebox approach.

Weekends are key, make sure you spend them wisely if under the same circumstances.

The Course

I had initially purchased the course and 3 months of lab time and started covering the materials; which comes in a form of a long PDF and a list of video tutorials walking the student through the relevant parts of the course. The contents are various topics focused on web applications vulnerabilities, the usual stuff was covered, like XSS, CSRF, file upload restrictions bypass and SQL Injections (with emphasis in boolean-based and time-based scenarios which makes it more interesting than the usual SQLi) as well as more advanced stuff such as Deserialization attacks, Type Jugglings, Server Side Template Injections, XML External Entity processing, weak encryption and Command Injection. All of this with emphasis on bypassing authentication and gaining Remote Code Execution.

The 2 topics I enjoyed the most were Deserialization attacks and Server Side Template Injections, learnt a lot from both.

A good amount of the course was also dedicated to DBMS (Database Management Systems), mainly related to SQL Injections. MySQL and MariaDB as well as PostgreSQL and HSQL were the focus here; bypassing input restrictions and getting reverse shell through the DBMS were the main subjects.

My strategy for covering the materials was simple: cover sections of the PDF (including exercises and extra miles) and then switch to the video tutorial corresponding to that section.

In covering the course material and resolving the exercises, I first read a section to get an idea or a general sense of direction in where the material was going and then tried to come up with my own solutions to the problems or exercises before reviewing the proposed solutions.

Extra miles are also a very important, these are exercises you have to complete on your own, they are based on the material covered in a section, but they are left for students to resolve by themselves. Do pay close attention to extra miles and make sure you complete them, as they are the most important in getting your mindset ready for the exam. –Use the forums for guidance only if you are really stuck and have spent a considerable amount of time and effort trying to solve it.

I covered the materials within the initial 3 moth period, however, after a week of having finished the course, I received an email from OffSec stating that the material of the course had just been upgraded and that 50% of newly added content was now available. –Thankfully they played nice and provided the extra material and 1 extra month of lab time for free.

I had mixed feelings with these news of the upgraded material, I was glad I was given access to the upgraded material to learn new stuff, but I was also worried about the possible increase in difficulty of the exam that this could result in. I completed the new material within the extra month just in time, but still didn’t felt ready to jump into the exam right away. –I felt I still needed to sharpen my code review methodology a little more.

The Exam

The exam was a 48-hour, fully-proctored experience, I started late in the day on a Friday, 15 minutes before the time I had received the initial communication to start the initial interaction with the proctor. I received my exam package by 6 pm and was ready to start. –A good advice here is to make sure you have the required proctoring tool (a browser plugin) already installed and working, there are even test credentials which you can request and use to test the proctoring tool in advance.

After verifying the connection to the exam lab, I started working on the first target, there is no much information I can share in this regard for obvious reasons, but in general you get VPN access to 5 machines; 1 is a Kali instance that you can use for the exam (–I did not used or touched this one as I was using my own Kali instance), the other 4 are pairs, each pair consist of one test machine and one target machine. You have full access to test machines, while target machines are images of the test machines but with different credentials.

You would first access the source code of the application within the test machines in order to identify and exploit a chain of vulnerabilities that would result in Remote Code Execution. Once you get it working in the test machine, then you would launch the attack against the target machine to get the required flags, which are nothing but hashes you get through authentication bypass (local.txt) and RCE (proof.txt).

By the first 24 hours I had already been able to crack the first target and by the 30th hour I already had everything I needed to pass the exam, still needed to finish coding the chains as well as double checking and even triple checking the fully-working Python exploitation scripts.

To me, the most important message I can relay about the exam is to have a plan of attack or methodology for approaching targets, which in my case included mind-states like:

• If I find myself against this, then I should at least look for this, this or this.
• If I find this technology doing this, then I should keep an eye open for these types of vulnerabilities.

For instance: “If I find a Java application doing deserializations, then I should keep an eye open for Insecure deserializations“, this would of course not exclude the other technologies, they are simply rank-ordered in terms of likeliness, my order in this case was: 1) Java, 2) ASP.net and 3) PHP.

I combined these mind-states with elements 3 and 1 (namely: performing line-by-line review of risky code and tracing user-controllable data) of the Code Review Methodology described in Chapter 19: Finding Vulnerabilities in Source Code of the Web Application Hacker’s Handbook Second Edition [¹].

About Proctoring

The entire exam is proctored, meaning that all the time your computer screen needs to be shared with OffSec’s proctors. At the beginning of the exam and everytime you would change rooms you would have to show the proctor your surroundings. –I found this a bit too much, but it is what it is.

Other than the initial interaction with the proctor and having to let them know everytime you stand up from your computer as well as everytime you come back, there is actually not much interaction with them. –Funny thing happened to me here, after moving to other room for a change I jokingly said to the proctor to wake me up if I felt sleep, needless to say I felt asleep short after and was waken up by the beeping chat.

Make sure you get the rest you need when you need it!

How am I applying the gained knowledge?

Part of my job requires me to do code review of application releases, so I knew I would partially apply the knowledge there, in any case, the certification was more of a personal challenge I had set to myself. –I just knew I needed to get out of the comfort zone I was falling into at that time.

Currently I have also been able to apply code review techniques to verifying security findings by investigating the source code of applications and determining their risk level and exploitability.

In the future, I’m aiming to get into application vulnerability research by executing full whitebox code reviews on the source code of applications.

Final words

Overall this was a great experience, helped me in refreshing topics as well as learning new techniques and vulnerabilities. I would completely recommend it with the caveat of having strong coding skills as a requirement.

Resources

1. The Web Application Hacker’s Handbook, Second Edition. Chapter 19: Finding Vulnerabilities in Source Code.

2. OWASP’s Code Review Guide 2.0. Section 3: Methodology.

3. AWAE PREP. wetw0rk.

4. OSWE/AWAE Preparation. Z-r0crypt.