OSWE Review

Hi !

Intro

back in 2017 while scrolling the twitter feed I stumbled upon a tweet by mr_me announcing about the availability of AWAE course in next 2018 BlackHast Asia. honestly I was not planning to take the course any soon, it’s definitely in my agenda but not that soon since I was already doing the WAPTX course. However this is an offer I can’t refuse! since Singapore is more convenient for me than USA, Also after asking the instructor mr_me about the materials he did confirm that it’s a totally revamped version. So I did sign up the next day and with 2 days the course was already sold out.

Live course

The live course was amazing! it was tense but eye-opener that covers many important types of web application vulnerabilities, the instructor was doing a great job by illustrating the concepts and cover the methodology used to hunt the bugs. Also after each modules he did discuss the mitigation steps and how to protect the applications from these possible vulns.

the first two days was about auditing LMS application built using php, honestly I think this is the most interesting web application case to cover since the concept of chaining different types of vulns altogether was needed to have the highest possible impact which is RCE 🙂

the next days was also about auditing web applications however different frameworks, programming languages and new exploitation techniques. the instructor was kind enough to give away some of his 0days and discuss them. the real benefit from live version of security courses is the interaction/communication with students and instructors to discuss different point of views. by the last day the time was not enough to cover the last case about a vulnerable nodejs web application However OffSec people gave us the VMs/materials to study when back home.

Online version

I did spend some time after the course auditing php web applications from Github and it was a great exercise since there is many frameworks and different libraries built on top of php. in late 2018 I received e-mail from OffSec stating that they will roll over a beta version of the online AWAE course and I can participate in evaluation the beta version! I did sign up for this and it was a nice move to refresh my notes and prepare for the exam.

the online version materials and lab are top notch, I dare to say it’s the best course in term of materials presentation and lab setup from OffSec. the cases was the same as the live version since the time between the two version is small however there was a new module about .Net web application and I was very happy about that since not many courses or training talks about it. the only downside was RDP connection for windows machines in the online version however it’s possible to create a local version of the vulnerable apps for later study if needed.

Exam

Ok! the exam is 48hrs long and as usual I get super nervous 🙂

short story without spoilers, I did fail the first attempt. then did spend great time restudy and set a proper game plan for the next attempt. I did pass in the next attempt and all I can say to myself is to relax and don’t over-complicate things

Fin

honestly I can say this is the best course out there to cover web application attacks. the course is all about code review and some twisted exploitation techniques. this course is not for bug bounty field where black-box approach is mostly used, this is a white-box approach to hunt bugs and 0days vulns.

Also I do recommend to spend great time before start auditing any web application in understating how the URL handling is implemented. the most important thing when auditing is the ability to map user inputs to the responsible code snippets, whether bottom/top or vice versa since we want to cover all possible attack vectors.

resources

https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/

https://www.offensive-security.com/vulndev/auditing-the-auditor/

https://medium.com/@frycos/finding-sql-injections-fast-with-white-box-analysis-a-recent-bug-example-ca449bce6c76

https://www.tutorialspoint.com/nodejs/nodejs_process.htm

https://maikthulhu.github.io/2019-05-17-remote-debugging-node-vscode/

https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution

https://srcincite.io/blog/2018/10/02/old-school-pwning-with-new-school-tricks-vanilla-forums-remote-code-execution.html