Does WEB-300 (OSWE) certification worth it?

blog + Certifications Z. Oualid todayAugust 13, 2022

share close

Once a professional penetration tester gets his OSCP certification the decision for the next step is really hard to make. Some chose to go for binary exploit while others think about specializing in web applications and trying to get the OSWE. However, is the OSWE certification also known as (AWAE) worth it?

AWAE course is the best web application penetration test course made by offensive security. If the professional penetration tester seeks to get deep and advanced technical skills in web application vulnerabilities then OSWE certification is the best choice.

In this, we are going to explain in detail why going after the OSWE certification would be one of the best choices a professional penetration tester may take. We are going to explain in detail, what you are going to learn and what makes this certification the best in the market compared to others. So if you are interested in taking a web penetration test for your career then just keep reading.

The content of this blog post represents my own personal honest point of view about this certification, and the content was not supported by any affiliation program.

Some subjects that you are going to study in OSWE certification and why?

Most examples discussed in this course are based on JAVA and .NET applications. This choice does not come randomly, as most professional applications that you may work on during your career would be built with those two technologies. However, all the techniques and the tools that you will learn in this course are applicable to all types of technologies.

Tools & Methodologies

The first chapter in the OSWE course is about the used tools and methodologies. As you would already know, following a good methodology in penetration may save you so much time and guarantee good results. Therefore, learning a methodology to follow either during dynamic analysis of a web application or a static code review, is a must.

Some of the tools that you will learn about and that I am 100% sure you have already used is Burpsuit. Burpsuit is the swiss knife in web application penetration testing. The main reason for using this tool is the capability of intercepting outbound and inbound request (web proxy) to analyze the different information and parameters that the browser sends to the target.

Moreover, what actually makes Burpsuit preferable among other web proxies is the extension capabilities that its community plugins offer.

In this section, you will also learn how you can retrieve the source code of a compiled .NET or JAVA application, for further static analysis of the code.

JavaScript Prototype Pollution

The javascript prototype pollution vulnerability is an injection type of vulnerability that target the server-side javascript runtime environment. By changing a specific property in the javascript prototype an attacker can control the default values of all the objects. By doing this manipulation, the attacker is able to either bypass the business logic or security mechanism or even cause remote code execution.

The theory behind this vulnerability is easy to understand but in practice, it is difficult to discover in the app without the backend source code.

However, with the rising use of JavaScript-based backend, finding this type of vulnerability may become widespread in modern apps. Therefore, learning about vulnerability and the different tools/techniques used to discover it may become very useful in the near future.

If you want to learn more about this vulnerability I highly encourage you to take a look at the following blog post written by snyk team.

Advanced vulnerabilities exploitation techniques

As I said first, this certification could be somehow considered complementary to OSWA certification. Therefore, you should expect to get deeper into some exploitation techniques for some specific vulnerabilities like SSRF, XSS, SQL injection, Command injection, SSTI, and XEE. This would give you more options to think of during a penetration test if all the basic and easy ones fail.

Unfortunately, for web applications, it is really hard to find other Opensource vulnerable applications on the web that have the same exact vulnerability. Therefore, I highly encourage you to profit from the offensive security lab as much as you can.

Session hijacking

The session hijacking vulnerability happens when the attacker is able to retrieve the victim’s session token and use it to log in to the web application. This problem came from the default design of the HTTP protocol that does cannot connect each request to another, to create a sort of session.

This is also an advanced vulnerability that is hard to detect if you don’t have a good experience with the different programming technologies and the way each one of them manages the sessions. However, once the vulnerability is detected it is usually easy to exploit.

The impact of a successfully exploited session hijacking vulnerability depends on the victim’s account privileges. The more role and permissions the victim has the more dangerous the impact of this vulnerability is.

Many other advanced vulnerabilities will be discussed and explained in the course. However, to not make this blog post even longer, I will stop at this level. If you want to know more about the types of vulnerabilities you can expect in this certification I highly recommend taking a look at its official page.

From SQL to RCE

Another very interesting and advanced technique you will learn in this certification is the way of exploiting an SQL injection vulnerability (or to be more general and SQL session) to get an RCE. Those techniques are very useful and you will definitely get a real-life situation where you will need such techniques.

You may already know some techniques that allow this sort of exploitation, like using a DBMS built-in function to execute commands and getting a reverse shell. However, what if you don’t have a such function like in most situations where you deal with a MySQL or PostgreSQL DBMS.

The best thing about the OSWE course in this section is that it covers multiple databases including MySQL and PostgreSQL. The technique explained in this section is the UDF (user-defined function). In addition, in this section, the OSWE certification describes an interesting feature in the PostgreSQL called large object that helps with the UDF in the PostgreSQL situation to get an RCE.

Other topics

I think I will need another whole blog post to just talk about each topic that you will encounter in this certification as there is a lot of content. Therefore, I will stop at this level while just listing the titles of some of the topics that you will find in this course

  • .NET deserialization
  • Remote code execution
  • Data exfiltration
  • Bypassing file upload restrictions and file extension filters
  • PHP type juggling with loose comparisons
  • PostgreSQL Extension and User Defined Functions
  • Bypassing REGEX restrictions
  • Magic hashes
  • Bypassing character restrictions
  • PostgreSQL large objects
  • Weak random token generation
  • XML external entity injection
  • OS command injection via WebSockets (black box)

Does the content in the OSWE certification up-to-date?

The content in the OSWE certification is just awesome and up-to-date. I can guarantee you that there is a lot to learn in this certification especially if you want to get specialized in web applications penetration testing.

In addition, this certification is pretty new and the content gets updated every year. The last update was made in 2021, another one did happen in 2020, and I guess another update will happen in 2022.

Is the OSWE exam technical or QCM based?

I think that this question should never be asked for all the Offensive security certifications. All the certifications proposed by offensive security have a technical exam, just like OSCP, OSCE, OSWA, and many other ones.

The real question that you should ask is how the exam would be and what kind of exercises you should expect. The OSWE certification exam duration is 47 hours and 45 minutes with another 24 hours to write your exam report.

To pass the exam you are expected to hack two machines with different vulnerabilities and to submit the report with all the evidence and the details on how did you get that result. The difference for this certification is that you should collect more than 85 points to pass the exam.

Even the difficult type of questions I think does not make sense for Offensive security. You should always expect a Try Harder kind of exam. In addition, the difficulty of the exam depends on the skills of the student itself, the more knowledge and experience he has the easier it would be.

How to prepare for the OSWE certification?

Here is what you should do to BEFORE buying the OSWE certification:

  1. Mastering the JavaScript language
  2. Mastering at least one of the following languages JAVA or .NET
  3. Having a good knowledge of the other language programming logic
  4. Mastering at least one scripting language Python for example
  5. Get familiar with Burpsuit or any web proxy
  6. Good experience with Linux commands
  7. Get familiar with application debugging
  8. Have a good understanding of the OWASP top 10
  9. Get familiar with regex

Here is what you should do DURING the OSWE course:

  1. Like OSCE you should not skip any section of the book and videos
  2. Do all the exercises
  3. Look for extra resources to either apply what you learned or learn newer techniques
  4. Create a checklist of all the vulnerabilities you have learned during the course
  5. Make your exploitation scripts modular so that you can reuse them for future exploitation
  6. Solve the extra lab machines. You’ll be given multiple extra lab machines with no guide or instructions on how to solve them.

OSWE vs OSCP vs OSCE who is the best for me?

Choosing between those 3 certifications depends on multiple parameters. The first one is the skill level you already have. If you are a beginner, then going after OSWE and OSCE might be very risky as the content is advanced and require multiple skills to be able to get the certification.

I remember years ago when I wanted to subscribe to the OSCE certification (I don’t know if this still exists), we were given a small test to solve to check if the student has the right skills before he pays for the certification. If you were not able to solve that test, then just forget about the certification.

As I said the OSCE and OSWE certifications are risky for beginners but not impossible, they only need more preparation and that’s all. However, I highly recommend beginners and even advanced people looking for a job to start with the OSCP certification first to gain a reputation in the market as it is the most popular and then go for the others.

Also, I want to mention that you should always expect failure on the first exam attempt. This is not to reduce your motivation, but to help reduce the impact of frustration. Most people fail at their first attempt, the key is to keep learning and trying until you get the certification you want. “Try harder”.

Is the OSWE certification recognized in the market?

The Offensive security team has a very good reputation in the market, due to years of good content they were giving to the community, either online or during big cybersecurity conferences like Blackhat. The OSWE is not a new certification, it is very old and known in the market by all advanced penetration testers. The only difference now is that it has become online, which was not the case in the past. To attempt this course in the past, the only way is to be present at the yearly conference of the blackhat.

In addition, you can try to look for any job post about web application security expert and you will find that this certification is among the requirements to get the job. This is the best proof that the certification is recognized in the market and if you get it, it will help you receive good job offers.

Here are some job posts available on the day I am writing this blog post, that ask for this certification, either as a requirement or as a plus:

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *