Does WEB-200 (OSWA) certification worth it?
If you ask any OSCP-certified penetration tester about what certification is the most attractive for you as a next step, then he would say OSWA. With its web-focused penetration test ...
Once a professional penetration tester gets his OSCP certification the decision for the next step is really hard to make. Some chose to go for binary exploit while others think about specializing in web applications and trying to get the OSWE. However, is the OSWE certification also known as (AWAE) worth it?
AWAE course is the best web application penetration test course made by offensive security. If the professional penetration tester seeks to get deep and advanced technical skills in web application vulnerabilities then OSWE certification is the best choice.
In this, we are going to explain in detail why going after the OSWE certification would be one of the best choices a professional penetration tester may take. We are going to explain in detail, what you are going to learn and what makes this certification the best in the market compared to others. So if you are interested in taking a web penetration test for your career then just keep reading.
Most examples discussed in this course are based on JAVA and .NET applications. This choice does not come randomly, as most professional applications that you may work on during your career would be built with those two technologies. However, all the techniques and the tools that you will learn in this course are applicable to all types of technologies.
The first chapter in the OSWE course is about the used tools and methodologies. As you would already know, following a good methodology in penetration may save you so much time and guarantee good results. Therefore, learning a methodology to follow either during dynamic analysis of a web application or a static code review, is a must.
Some of the tools that you will learn about and that I am 100% sure you have already used is Burpsuit. Burpsuit is the swiss knife in web application penetration testing. The main reason for using this tool is the capability of intercepting outbound and inbound request (web proxy) to analyze the different information and parameters that the browser sends to the target.
Moreover, what actually makes Burpsuit preferable among other web proxies is the extension capabilities that its community plugins offer.
In this section, you will also learn how you can retrieve the source code of a compiled .NET or JAVA application, for further static analysis of the code.
The javascript prototype pollution vulnerability is an injection type of vulnerability that target the server-side javascript runtime environment. By changing a specific property in the javascript prototype an attacker can control the default values of all the objects. By doing this manipulation, the attacker is able to either bypass the business logic or security mechanism or even cause remote code execution.
The theory behind this vulnerability is easy to understand but in practice, it is difficult to discover in the app without the backend source code.
However, with the rising use of JavaScript-based backend, finding this type of vulnerability may become widespread in modern apps. Therefore, learning about vulnerability and the different tools/techniques used to discover it may become very useful in the near future.
If you want to learn more about this vulnerability I highly encourage you to take a look at the following blog post written by snyk team.
As I said first, this certification could be somehow considered complementary to OSWA certification. Therefore, you should expect to get deeper into some exploitation techniques for some specific vulnerabilities like SSRF, XSS, SQL injection, Command injection, SSTI, and XEE. This would give you more options to think of during a penetration test if all the basic and easy ones fail.
Unfortunately, for web applications, it is really hard to find other Opensource vulnerable applications on the web that have the same exact vulnerability. Therefore, I highly encourage you to profit from the offensive security lab as much as you can.
The session hijacking vulnerability happens when the attacker is able to retrieve the victim’s session token and use it to log in to the web application. This problem came from the default design of the HTTP protocol that does cannot connect each request to another, to create a sort of session.
This is also an advanced vulnerability that is hard to detect if you don’t have a good experience with the different programming technologies and the way each one of them manages the sessions. However, once the vulnerability is detected it is usually easy to exploit.
The impact of a successfully exploited session hijacking vulnerability depends on the victim’s account privileges. The more role and permissions the victim has the more dangerous the impact of this vulnerability is.
Another very interesting and advanced technique you will learn in this certification is the way of exploiting an SQL injection vulnerability (or to be more general and SQL session) to get an RCE. Those techniques are very useful and you will definitely get a real-life situation where you will need such techniques.
You may already know some techniques that allow this sort of exploitation, like using a DBMS built-in function to execute commands and getting a reverse shell. However, what if you don’t have a such function like in most situations where you deal with a MySQL or PostgreSQL DBMS.
The best thing about the OSWE course in this section is that it covers multiple databases including MySQL and PostgreSQL. The technique explained in this section is the UDF (user-defined function). In addition, in this section, the OSWE certification describes an interesting feature in the PostgreSQL called large object that helps with the UDF in the PostgreSQL situation to get an RCE.
I think I will need another whole blog post to just talk about each topic that you will encounter in this certification as there is a lot of content. Therefore, I will stop at this level while just listing the titles of some of the topics that you will find in this course
The content in the OSWE certification is just awesome and up-to-date. I can guarantee you that there is a lot to learn in this certification especially if you want to get specialized in web applications penetration testing.
In addition, this certification is pretty new and the content gets updated every year. The last update was made in 2021, another one did happen in 2020, and I guess another update will happen in 2022.
I think that this question should never be asked for all the Offensive security certifications. All the certifications proposed by offensive security have a technical exam, just like OSCP, OSCE, OSWA, and many other ones.
The real question that you should ask is how the exam would be and what kind of exercises you should expect. The OSWE certification exam duration is 47 hours and 45 minutes with another 24 hours to write your exam report.
To pass the exam you are expected to hack two machines with different vulnerabilities and to submit the report with all the evidence and the details on how did you get that result. The difference for this certification is that you should collect more than 85 points to pass the exam.
Even the difficult type of questions I think does not make sense for Offensive security. You should always expect a Try Harder kind of exam. In addition, the difficulty of the exam depends on the skills of the student itself, the more knowledge and experience he has the easier it would be.
Here is what you should do to BEFORE buying the OSWE certification:
Here is what you should do DURING the OSWE course:
Choosing between those 3 certifications depends on multiple parameters. The first one is the skill level you already have. If you are a beginner, then going after OSWE and OSCE might be very risky as the content is advanced and require multiple skills to be able to get the certification.
I remember years ago when I wanted to subscribe to the OSCE certification (I don’t know if this still exists), we were given a small test to solve to check if the student has the right skills before he pays for the certification. If you were not able to solve that test, then just forget about the certification.
As I said the OSCE and OSWE certifications are risky for beginners but not impossible, they only need more preparation and that’s all. However, I highly recommend beginners and even advanced people looking for a job to start with the OSCP certification first to gain a reputation in the market as it is the most popular and then go for the others.
Also, I want to mention that you should always expect failure on the first exam attempt. This is not to reduce your motivation, but to help reduce the impact of frustration. Most people fail at their first attempt, the key is to keep learning and trying until you get the certification you want. “Try harder”.
The Offensive security team has a very good reputation in the market, due to years of good content they were giving to the community, either online or during big cybersecurity conferences like Blackhat. The OSWE is not a new certification, it is very old and known in the market by all advanced penetration testers. The only difference now is that it has become online, which was not the case in the past. To attempt this course in the past, the only way is to be present at the yearly conference of the blackhat.
In addition, you can try to look for any job post about web application security expert and you will find that this certification is among the requirements to get the job. This is the best proof that the certification is recognized in the market and if you get it, it will help you receive good job offers.
Here are some job posts available on the day I am writing this blog post, that ask for this certification, either as a requirement or as a plus:
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
blog Z. Oualid
If you ask any OSCP-certified penetration tester about what certification is the most attractive for you as a next step, then he would say OSWA. With its web-focused penetration test ...
Copyright © 2020 Getsecureworld.
Post comments (0)