Does WEB-200 (OSWA) certification worth it?

If you ask any OSCP-certified penetration tester about what certification is the most attractive for you as a next step, then he would say OSWA. With its web-focused penetration test content in place, most beginners and experienced penetration testers want to go after it but ask about its worthiness. So does web-200 (OSWA) certification worth it?

The OSWA course was built to complete the OSCP content by focusing on the web application vulnerabilities exploitation. In addition, the OSWA represents the best first step to take in the journey of web application penetration mastering.

In this blog post, we are going to discuss the content of this certification and the different aspect that it cover. We will also explain why this content was made and why it would be beneficial to go after this certification in the future. So if you are interested in knowing more about this certification just keep reading.

What are you going to learn in OSWA certification and why?

1. Copyright
2. Introduction to WEB-200
3. Tools for the Web Assessor

The third chapter of the OSWA course introduces the students to the different tools that they may need to use during the training. Mastering those tools is necessary to maximize the code coverage of your tests and accelerate the process. Those tools are either fully automated ones to scan the target or semi-automated ones to just assist the penetration in his penetration test mission.

This chapter also gives a quick idea about the wordlists and the way they can be chosen and used in the tests. For example, wordlists can be used to enumerate hidden web application files, or wordlists can be used to find a user password.

What I really liked about this chapter is the Shells section. This part is very useful for beginners and will help them understand the different shells that they can use during a penetration test.

• Cross-Site Scripting (XSS) Introduction and Discovery
• Cross-Site Scripting (XSS) Exploitation and Case Study
• Cross-Origin Attacks

The next three chapters introduce the student to the next level of XSS vulnerability exploitation. Most penetration testers and developers think that the XSS vulnerability could only be used to either redirect the user to a malicious website or to steal its cookies. However, the XSS vulnerabilities are very dangerous and could be used to even have full control over the end-user machine. Those chapters actually deal with the subject and try to introduce the student to this level of exploitation. I personally think that those chapters are complementary to the XSS exploitation of the old OSCE certification.

In the same logic, the 6^th chapter introduces the CSRF vulnerability and the way it can be detected and exploited.

• Introduction to SQL
• SQL Injection (SQLi) and Case Study

The 7^th and 8^th chapters try to make the student aware of the manual exploitation of the SQL injection. In most cases, the SQLmap tool is used by penetration testers to exploit vulnerabilities. However, in some advanced situations where the application is protected by a WAF, using an automated tool may get quickly stopped and IP blocked. Therefore, using a manual technique may become necessary.   

• Directory Traversal

The directory traversal vulnerability is one of the vulnerabilities that are very under-estimated. Most people think that the maximum impact that this vulnerability could do on a system is to list the files and display them. In reality, more advanced exploitation of this vulnerability could lead to even a remote code execution. If you want to understand the difference between directory traversal and local file inclusion, I highly recommend reading the following blog post.

1. XML External Entity (XXE) Processing

In this chapter, the offensive security team tries to introduce the student to one of the advanced vulnerabilities and less known compared to SQL injection, which is the XXE vulnerability.

Here, the offensive security team behind this certification tries to explain the theoretical aspects of the XXE vulnerability and the different types of it. In addition, this chapter explains the ways that can be used to detect and exploit this vulnerability.

1. Server Side Template Injection (SSTI)
2. Command Injection
3. Server Side Request Forgery (SSRF)
4. Insecure Direct Object Referencing

The same thing is basically done in all the following chapters. The course introduces the student to different web vulnerabilities that he may find during his penetration test. In addition, at the end of each vulnerability chapter, the team describes a realistic case study that shows in practice how to detect and exploit those vulnerabilities.

Does the content in the OSWA certification up-to-date?

The OSWA certification is one of the newer certifications published by Offensive security. Therefore, most of the content discussed in it is up-to-date and you will definitely face situations in real life where you may need to exploit at least one of those vulnerabilities.

It is true that the vulnerabilities discussed in the course are very old, and many tutorials could be found on the web about them, but the best thing about offensive security courses is the lab that you can use to actually practice what you have learned.

Is the OSWA exam technical or QCM based?

As usual for all Offensive security certifications, the exam is purely technical with 24 hours reporting. The technical exam duration is 23 hours and 45 minutes.

During the technical exam period, you will get 5 web applications that you should exploit to gain access to the system. After getting the shell you will need to retrieve the local.txt file and the proof.txt file and submit them in the control panel, basically like OSCP, OSCE, or OSWP.

The only difference here compared to OSCP is that you don’t need to perform any privilege escalation to obtain the proof.txt that is in the root directory.

You can also expect the exploitation of vulnerabilities that require human interactions, like XSS, CSRF, and others. The offensive security team put in place an emulation of the required behavior to allow such exploitation to happen.

As usual, to pass the exam you will need to get at least 70 points out of 100.

How to prepare for the OSWA certification?

To accelerate your learning process in the OSWA certification, I highly recommend getting more familiar with how the browser works and the why behind using cookies for example, and how the HTTP protocol works. In addition, a good understanding of the network protocols and a mastery of Linux commands will be a good help to you. Moreover, having a good idea about even the windows commands would be a great addition for you, especially during the lab or exam.

I also highly recommend practicing your skills in some of the platforms that already exist on the web for vulnerable applications, like DVWA or any other available ones. This will get you familiar with the different exploitation techniques before going after this certification.

OSWA vs OSCP who is the best for me?

The certification that you need to pursue, depends on the technical level you have and the field you may want to specialize in it. I would say for a beginner to the intermediate penetration tester, that the OSWA certification is the next step after getting the OSCP. This certification will allow you to gain more skills to gain your first access to machines during real-life penetration test missions.

For an advanced penetration tester, it depends on the technical level he has on the web penetration tests. If he has a deep and advanced knowledge of web applications I would not recommend going after this certification as it might become a waste of time for him and he can directly try to get the OSWE. However, if he does not have advanced knowledge in web application penetration tests, then starting with this certification is the right thing to do.