As the S4E team, after the Offensive Security WEB-300 course and a successful OSWE certification process, we wanted to share this stringent process and our experiences with those who want to take the course. We will explain the issues you need to pay attention to while taking the Advanced Web Attacks and Exploitation (WEB-300) course. Thus, you can decide if the training is for you and whether you need to wait a little longer. We will also address the course content and, in the end, some important issues for the exam.
Is this course suitable for your level? Are you ready to get this certificate?
Advanced Web Attacks and Exploitation (WEB-300) is not an entry-level course. If you do not have basic knowledge of web vulnerabilities and network layers, you should delay taking the course. Furthermore, those who consider taking this course should write code using at least one programming language and read codes written in different programming languages. To illustrate, if you are having trouble reading code written in Java or adding some code caves to a project is a time-consuming task for you, you should wait a little longer for the course.
If you are looking for an advanced web app pentest course, you may want to consider this course. You have the option of taking this course in two or three months. If you are confident about web application security and your workload allows you, you can access a 2-month lab environment for $1299. If you want 90 days of access, you need to pay $1499.
We recommend the 90-day course to take thorough efficiency of the perfect lab environment which Offensive Security has developed for this course; if you are actively working and can devote very little of your time to the course.
Finally, this course can be taken not only by those working on offensive web application security but also by web application developers (software engineers, full-stack web developers, etc.) who want to learn their code's security. In both the course material and lab environment, you will read a lot of code. With the combination of this working style that web application developers are used to and the depth of cybersecurity research, we can conclude that an enjoyable and challenging course has emerged.
What is the Content of the Course?
Advanced Web Attacks and Exploitation (WEB-300) course focuses on white box web application penetration testing methods. Most of your time will be spent analyzing source code and using tools such as Java decompiler, DLL debugging, request manipulating, Burp Suite, dnSpy, JD-GUI, Visual Studio. The training videos are up to date (updated while we take the course). The course contents (video and pdf documents) are enough for you to comprehend the subjects, prepare for the exam, and solve the lab environment questions. If you follow the training content and solve the lab questions without leaving a subject that you do not understand, you can pass the exam easily.
Also, there are extra miles in this training lab environment, which are not explained how it is done in the documents given to you. You have to do these miles yourself, but you can discuss them on the forums if you need help. Frankly, this is up to a point. As with any offensive security courses, you are on your own.
What Would You Gain From The Course?
Some of them are:
- Competence to detect vulnerabilities by examining the source codes of advanced web applications and, thanks to this competence, being able to detect 0-day vulnerabilities by analyzing web applications
- Mastering a variety of web application technologies
- Ability to run commands at the highest level of authority over the server by combining different types of detected vulnerabilities
- Exploit development
- Thinking outside the box
- Risk management (a really serious contribution)
- How to overcome the obstacles during the exploitation
- Finding out about some of the more unusual web application vulnerabilities
What Do You Need To Know About The Exam?
The exam is scheduled for 47 hours and 45 minutes. During this time, proctors assigned by the Offensive Security company would be able to monitor your machine and you. 15 minutes before the exam starts, the proctor assigned to you will check the requirements to be eligible for the exam. Since these procedures can take up to 15 minutes, we suggest setting up the test environment and requirements ahead of time. Furthermore, there should not be any electronic equipment on the table where you will take the exam.
In total, there are 5 separate machines in the exam. 2 of these machines have local.txt and proof.txt files. You need to get them and your reports.
The other 2 are machines are exact copies of the first 2 machines, where you can perform debugging operations. Therefore, the credentials of these 2 machines are shared with you, and you can do white-box pen-testing. The last machine is the Kali Linux machine that you can use if you want.
Except for the Kali Linux machine, other machines have web applications written in different programming languages. You are expected to examine the web application source codes using two debug machines, identify specially placed vulnerabilities and write the exploit code. Using the exploit code prepared, you have to exploit machines and read local.txt and proof.txt files.
Each machine consists of 2 stages. In the first stage, you need to access and read the local.txt file using authentication bypass vulnerability. In the second stage, you need to read the proof.txt file with the remote code execution vulnerability. Authentication Bypass operations are evaluated with 35 points, while Remote Code Execution operations are evaluated at 15 points. The minimum score to pass the exam is 85. It is also necessary to write a single exploit code that reads local.txt and proof.txt for at least one machine.
It is strictly forbidden to use any source code analysis tool, vulnerability scanning tool, or automatic exploitation tool in the exam. Operations are required to be completely manual. The ysoserial tool can be used for deserialization.
What Should Be Done Before The Exam?
You must be ;
- at a level that can manually analyze source code in web applications written by using programming languages such as PHP, Java, Javascript, ASP.NET, Python. Do not forget, in the exam, it is forbidden to use automated tools.
- familiar with at least one of the programming languages you will use when writing exploit code for detected vulnerabilities. Even if you detect the vulnerabilities, you cannot get points if you cannot write the appropriate exploitation code.
- familiar with databases such as Mysql, Postgresql and their syntax structures.
It would help if you had a thorough understanding of the web application vulnerabilities explained in the lab environment.
Conclusion
Despite a rough preparation process, the OSWE course was a training that our experts liked very much for its content and contribution to our team. Thus, as the S4E team, we recommend the training. After the training, you will gain a different perspective. If you want to make preliminary preparation before purchasing the training, we share some links below.
We also provide you with a few reviews for you to read before taking the exam. As the Security For Everyone team, we wish you success in your exam :)
Prep:
Overview:
control security posture