Menu
Article

OSWE Review & Preparation Guide

Anish Kumar

• 4 min read
OSWE Review & Preparation Guide

As you might already know, OSWE (WEB-300) is a web security certification that specifically teaches code review. The course covers most web vulnerability classes and also some lesser-known vulnerabilities that you don't encounter in a normal pentest or during Bug Hunting.

  • SQL Injection
  • Deserialization (.NET, Java)
  • Authentication Bypasses
  • Server-Side Template Injection (SSTI)
  • XML External Entity Injection (XXE)
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • Prototype Pollution
  • Bypassing filters and different restrictions
  • Command Injection
Take a look at syllabus here.

Prerequisites

Web Security Basics

If you're an absolute beginner learning web security, start with PortSwigger Academy. If you prefer watching videos, here are some recommended videos and playlists:

Programming

After you finish learning the basics, start learning programming.

You don't need to be an experienced developer, but you should be able to read code

I'd suggest starting with a language that supports Object-Oriented Programming (OOP) like Java and try developing a basic CRUD app in that language. You could pick Spring Boot, for instance, and proceed with developing the application. This really helps you understand how an application is built and how it interacts with databases.

If you're comfortable with any other programming language, pick a framework based on that language and start building the app. Most of the concepts will be similar, just the syntax and code patterns will differ across different languages and frameworks.

Here are some resources you could use:

💡
I would also highly recommend playing CTFs on weekends (that's how I learned code review), over ctftime.org. Just choose any CTF with weight around ≈20 and start playing

Preparation

The course module offers both video and text-based content. Choose the medium you personally prefer, though text content is sometimes more detailed. Go through the lab and extra mile exercises while following the module, as it will save you time later.

Don't save the extra miles for later. Complete them as you go so you don't forget the context.

Note-taking is necessary, but don't spend too much time on it. Simply use the module's content and summarize it according to your understanding.

Challenge labs

After completing the module, you should have a clear understanding of how modern web apps are structured, including MVC architecture, how routing works, how to identify unauthenticated and authenticated endpoints, what services are, and more.

At the time of writing this, the course contains 7 challenge labs and some archived ones. We are already provided with a debugging setup using VS Code Server, which is very pleasant to use unlike the exam 🥲. Solving these labs will be enough to prepare you for the exam, though the exam was a little more difficult than the challenge labs.

You'll develop your own methodology while solving these labs, but here's mine:

  • Start with reviewing the application using your browser
  • Look for interesting features in the application
  • Try identifying basic security issues on those features; if that doesn't work
  • Review the code implementing the feature (looking at the request route)
  • Map and review the function implementing the feature, and try to find an issue
  • If the above doesn't work, directly search for issues in the app using regex based on the application context (the course will teach you this)
For black-box machines, fuzzing and research will be enough

Here are some resources to learn regex, which will be very helpful while finding issues and creating Proof of Concept (PoC) scripts:

A Practical Guide to Regular Expressions – Learn RegEx with Real Life Examples
What are Regular Expressions? Regular expressions, also known as regex, work by defining patterns that you can use to search for certain characters or words inside strings. Once you define the pattern you want to use, you can make edits, delete certa…
freeCodeCamp.orgTasnim Ferdous

Scripting exploits

As mentioned in the OSWE exam guide, creating a single functional exploit script is very important.

While solving challenge labs, try writing an exploit script for each issue you find. This will help you create some reusable code snippets. Then chain the scripts together after achieving RCE.

💡
You could also practice scripting by writing exploits for PortSwigger labs

Here are my toolset and resources used for scripting:

Recommendations

I won't bore you with my lengthy exam experience 🙃. Just follow your methodology and take regular breaks.

  • Go with the flow. If you see something interesting, follow it
  • Research is the key; google things and read documentation and blogs
  • Filter out rabbit holes with proper research
  • Use NoMachine or SSH X11 forwarding via Visual Studio Code if you want a smooth exam experience

Conclusion

This is a great course from Offsec. The training is very insightful and genuinely fascinating. Prototype pollution and insecure deserialization were especially cool to dive into, unlike the standard security issues.

References

How I cracked the OSWE exam in 2023
Want to know how to crack the OSWE exam? Here’s my take on to how I did it, and what are the best practices you can follow.
Payatup3n7a90n
Share