AWAE/OSWE - A not expected review

Let me start by saying that I have successfully passed my OSWE exam in 2020, after Offensive Security updated the course content (and the exam machines as far as I can tell).

My badge ID is OS-AWAE-9850.

I start with that, because I want to make clear that this review is not a "whining" because I wasn’t able to pass the exam.

Moreover, I also hold OSCP and OSWP and I believe that many parts of this review, also apply to these “trainings”.

AWAE is a "web application security review course". Be very very cautious with that, before you opt to take the class. This class is 90% manual source code review. You may be very good at black box web PT, but that does not mean that you can quickly discover vulnerabilities hidden in a code base. And don't make the mistake: The majority of the vulnerabilities you are going to deal with, cannot be discovered in a black box PT. This class/exam has more similarities with CTFs which give you access to the code and you have to get the flag and less similarities with "closed" boxes/VMs which have to be pwned from a black box perspective.

Course pros

(+) The material of the OSWE is well organized, well documented and fairly up to date, given the very fast changes in the web exploitation field. You are not going to find a "super secret" technique or a technique of the last day, but beyond XSS and SQLi, you will see exploitation of type Juggling, SSTI, XXE, RCE on nodeJS and more. For more: https://www.offensive-security.com/documentation/awae-syllabus.pdf

(+) The vulnerabilities which are described, are not only presented as individual issues, but they are used in chains which always lead to RCE. You learn how to think of and how to chain vulnerabilities.

(+) You gain an in depth understanding of those vulnerabilities, because 90% of the provided content is in regard to white box approaches. This way you can see the vulnerable code, track the vulnerable path with remote debugging/local debugging and understand 100% the root cause of the vulnerabilities which you study. Very very important and useful is that you understand the root cause in depth.

(+) The video contents are also very good and you can see the exploitation step by step, before you go to lab and reproduce them yourself.

(+) The wiki, although very simple, it is well organized and the source codes from the pdf, are provided there. This way, you don't have to "copy paste" things from the pdf.

(+) You will have to learn how to develop your own full chain exploits.

(+) You will see (and deeply understand) that there are many many more vulnerabilities than the ones presented in the acunetix/burp/netsparker/whatever results. Many vulnerabilities which can not be identified from scanners.

Training VS Training materials

Many people learn in different ways and you have to make your own choice, if the Offensive's Security way is also your way to learn new things.

Offensive's Security marketing is amazing. If you look carefully at their pages, there are "Courses" and "Training for orgs" and these are two different things.

In my very personal opinion, PWK, AWAE and WiFu (and I suppose AWE too) are not trainings. You can call them "very well organized notes", or maybe "small books and video tuts", or maybe "training materials". But in my personal opinion a training has to be interactive. You have to be able to make questions and receive answers or have discussions with your instructor and classmates. "Try harder" is not an answer which requires having an instructor.

Do you need a training? Can you learn new things with "notes/books/training materials"? Of course you can! I have learned a tone of things from "ippsec" which has free high quality youtube videos, I have learned a tone of new things from HTB by "trying harder" and it's also free, and of course I have learned amazing things from people in Twitter and their very very well organized blogs. Again for free. And of course CTFs for a much more "try harder" and up to date content.

You have to know what you are going to pay $1400 for, or more.

You are not going to learn something that you cannot learn for free. You are going to pay for something that it is very well organized, it is given to you in one place, in one package, with the labs and the exam. In my opinion, you mostly pay for the certification and the tweet "I tried harder".

Course Cons

(-) In my personal opinion, this is not a training. This does not mean you are not going to learn, but in my opinion it's a training material and not a training. Not sure if this is "minus" or just a side note.

(-) If your objective is to learn and not the cert, you can find well organized material for free all over the web. You can learn the same things for free and in a "try even harder" way. So if the "try harder" is the way to go, why not "try even harder" and get it for free? I stress that I am speaking for knowledge here, not for the cert. Moreover, the CTFs and the blogs are much more up to date.

(-) If you go for the knowledge, in my personal opinion $1400 for the training material is too expensive. If you go for the certification, given that Offensive Security is a big name in the industry, I suppose it's a fair price. I prefer to think that I paid (Neurosoft paid to be honest), $1400 dollars in order to sit the exam and I got the training material for free. It's a better point of view for me :-) .

The exam

I am sure, that there are people out there who sat the exam and it was easy for them. If you are dealing with source code reviews in your job, or you are playing CTFs with a good CTF team (CTFs which give you the source code. Not Boxes/VMs) probably you are going to find it easy. But I don't think that this applies for the majority of the people who sat this exam or are going to sit the exam. Of course I have not done a poll. It's just my very subjective opinion.

When people sit an exam and pass it, they usually feel the need to say "I was expecting it to be more difficult", "easy for me", "I totally enjoy it", etc. Personally, although I have conducted hundreds of black box (no access to source code) web application PT and I have developed numerous exploits in python, I hated my self during the exam. I didn't enjoy it in any way.

I get it; We have to support our nightmare and prove our "super amazing skills". I really get it. I also suppose that some of us have to deal with "Thought suppression", which I also get it.

The exam is 48 hours of stress, coding and source code review/debugging. You have to perform a source code review to the applications, and you have to understand the flow in order to discover the vulnerabilities.

Don't expect to see something so obvious:

<?php system(_GET['id']) ?>

You have to understand the code line by line in order to find the vulnerable code . Don't expect a 50 lines of code. It's applications with many lines of codes, libraries, frameworks, etc. Very realistic web applications.

I highly suggest you take a nap. I went to bed after ~16 hours and I had 0 access. After 6 hours of sleep, I started again.

I finished the exam in 47 hours, I slept roughly 10 hours (6+2+1+1 or something like that), I went for a 10' minute walk and I played with the cat.

I didn't do that because the exam was easy. In contrast, I did that because the exam was not easy at all for me and I needed a fully functional brain. Trust me and take a sleep.

You will have to deliver full chain exploits. You have to be good in programming and I highly suggest you understand what you are going to develop during your labs.

Keep templates of your exploits and make your code reusable and efficient.

I delivered almost 800 lines of code. I am sure that my code is rubbish, but you get the point. You are not going to deliver a 20 lines exploit.

In the exam, if you have not familiarized yourself with code reviews, you are not going to pass it in no way. When you are done studying, try to solve the labs on your own. If you can't, don't go for the exam.

By the way, I believe it’s good to take a 60 days lab, if you are working and you have personal life.

Exam Cons and Cons

(-) 47 hours with 10 hours of sleep.

(-) The exam has some "components" which test your ability to create efficient ("productive") exploits and not just an exploit.

(-) I really don't get the "no tools" obsession. I get it that we don't have to use commercial tools. But why do I have to re-invent the wheel? If I can use an open source tool for something or if I can modify it in order to make it work and do my exploitation, what's the problem?

(-) I don't get the "full chain exploit" obsession. What's the problem If I provide 1,2,3,4 exploits and you have to run ruby exploit-1.rb, java -jar exploit-2.jar and python exploit-3.py to get an RCE? If I make os.run(“ruby exploit-1.rb”) os.run(“java -jar exploit-2.jar”) inside the exploit-3.py are we ok? What’s the problem if I instruct you to make 2 requests with the burp/curl during the exploitation?

(-) Support via e-mail in the exam time? Seriously? During a stressful exam I have to wait for e-mails?

(-) Rules in general: “If you submit your report in any other file format, we will not request or remind you to send a PDF report archived into a .7z file and your exam report will not be scored.”

I don’t really enjoy that attitude. This seems more like a punishment to me, than an examination process. I doubt that our clients have stipulation “If you deliver a doc we will not request or remind you to send a PDF and we are not going to pay”. FFS. And it’s not the only insane rule.

(-) Proctored exam: “1 minute break – I am back”, “2 minutes break – I am back” what’s the point for that? Are you monitoring or not? Am I allowed to take a break and leave the room for 1’ or 10h or not? As far as I am allowed to take as short or as long breaks I want to, what’s the point of sending “1 minute break” every time I have to go for a… coffee?

The End (?)

There are things in the exam that I don't get how they test my knowledge. I felt that the exam tries more to test my nerves and my ability to work sleepless for hours, than my knowledge on vulnerability discovery. I would prefer less machines in the same hours, or more hours.

Of course again this is my 100% subjective opinion. Maybe I am just a n00b and many people pass it in 4 hours + 4 hours for the report and then they go to sleep.

To be honest, regarding the value for money, I believe that I paid $1400 in order to put OSWE in my LinkedIn Profile/CV. If this is enough or not, it's something subjective and you will have to make your decision.

Am I going to go for OSEE? Maybe I will at some point and after covid-19. Why?

1. Because like I said, Offensive Security is a big name in the industry and everyone has to assess if they are going to get a value add from the “OSEE certified" in their signature.

2. It’s not online. I suppose it’s training and not only training material.

3. Even if it was online, I would probably be willing to pay for an all-in-one package (certificate/the training material/the lab) if the value/money was good enough.

Disclaimer

This my 100% subjective opinion. Maybe I am wrong, maybe I am n00b (however based on my OSWE I am not :'-) ) or maybe everyone has to “try harder” and not only the students.

Cu around,

Ilias Dimopoulos (a.k.a gweeperx) OSWE certified.