Advanced pen-testers and information system auditors are all familiar with the OSWE certification. Granted by Offensive Security, one of the most renowned penetration testing companies around, the certification declares any passing student to be an Offensive Security Web Expert. Such a title practically certifies their holders as truly experienced pen-testers.
Of course, to get it, students have to pass a highly challenging exam that has numerous hurdles. That’s not all. The certification itself is quite pricey but, on the plus side, it doesn’t have an expiration date, which means that anyone that boasts it can be sure they’ll have a high return on their investment even years down the line.
One more thing – the OSWE certification needs the Advanced Web Attacks and Exploitation (AWAE) course. That means that anyone attempting to pass the OSWE exam needs to go through the AWAE course material and training before. In truth, it certainly makes sense, as the AWAE course provides the necessary knowledge and practice to tackle the hard exam ahead. That’s why we’ll take a look at the AWAE first and then we’ll go with a couple of practical tips for taking the OSWE exam.
AWAE Basics
Anyone taking the course needs to have a strong set of skills before starting. Some of those include familiarity with coding with Java, JavaScript, Python, and .NET development services as well as experience with Linux. They should also have to know how to write scripts in Python, Perl, PHP, and Bash. Additionally, a general understanding of web app attack vectors is also a prerequisite.
The course goal is for students to learn how to perform advanced web app source code auditing, exploit web vulnerabilities, implement chained attacks targeted at multiple vulnerabilities, and develop lateral thinking to come up with creative exploits. The vulnerabilities in the course are somewhat common and come from real open-source projects. Students can then access a test environment through a VPN to put what they’ve learned in action.
Some of the tools used throughout the course include Burp Suite, Kali Linux, and Metasploit. They are used in a wide array of topics, including session hijacking, cross-site request forgery. blind SQL injection, insecure deserialization, and CSRF, among many others. The ultimate goal is to fully exploit a system to gain remote administrative access and remote SSH to a web system.
The course covers 6 hours of video lectures and a 270-page course guide, with varying lab access (depending on the price you pay). Once the course and the practice are done, it’ll be time to take the exam.
OSWE Generalities, Challenges, and Tips
The OSWE certification exam is online and lasts 48 hours and consists of a hands-on assessment of a web application through a VPN. The entire exam is watched by a supervisor which guards strict vigilance throughout the entire exam. In fact, before the exam begins, students are asked to validate their ID and show their workstation in detail through a web camera. Within the exam environment, you’ll attack various web applications and operating systems. Points are awarded for each compromised application, based on their difficulty and the level of access obtained. Screen sharing and the camera itself are on at all times during the exam.
During the test, students need to successfully exploit a number of vulnerabilities, including the ones covered in the AWAE course as well as custom-made vulnerabilities developed specifically for the exam. The ultimate objective is for you to get shell access to a server by bypassing a sophisticated authentication system. Each time a student exploits a vulnerability, they are awarded some points. They pass if they get at least 80 points.
Some of the things that make the exam extremely challenging even for experienced pen-testers include:
● There are no instructions. Students get a server IP and a test environment without further comments.
● Vulnerability scanners aren’t allowed.
● The clock doesn’t stop ticking at all. Bathroom and meal breaks all count in the 48-hour timeframe (and should be notified to the supervisor).
In such a light, it’s important that anyone considering taking the exam has a couple of things in mind. First of all, experiences vary from student to student, so it’s better to be careful when reading online accounts of past OSWE exams. From people claiming that the exam it’s easy to people saying that it’s impossible, reading can discourage any pen-tester. The best course of action is to ignore subjectivities and keep studying.
Having theoretical knowledge is important but so does having a lot of security and development experience. Without them, the exam surely is impossible. There are approaches and ways of thinking that can’t be learned in a course but rather come from years on the field. That’s why OSWE is recommended for advanced pen-testers.
Keeping a record of that personal knowledge (which can include in practices, commands, and tricks) can be very useful when preparing for the exam, as it can help in remembering these experiences and keeping them fresh.
Finally, the most important thing of all – keeping a positive attitude and avoiding frustration. The exam is quite demanding both psychologically and physically, so students have to come prepared to endure a very stressful environment where they are being watched all the time. No amount of practice prepares them for that, so it’s important to keep an “I can do this” attitude even in the face of overly complicated challenges.
Studying for the OSWE exam alone can turn any student into a better pen-tester. Of course, it’s not the same without the proper certification but this should serve as a consolation prize for anyone that still can’t be certified because, in the end, it’s all about being better professionals.
