As the S4E team, after the Offensive Security WEB-300 course and a successful OSWE certification process, we wanted to share this stringent process and our experiences with those who want to take the course. We will explain the issues you need to pay attention to while taking the Advanced Web Attacks and Exploitation (WEB-300) course. Thus, you can decide if the training is for you and whether you need to wait a little longer. We will also address the course content and, in the end, some important issues for the exam.
Advanced Web Attacks and Exploitation (WEB-300) is not an entry-level course. If you do not have basic knowledge of web vulnerabilities and network layers, you should delay taking the course. Furthermore, those who consider taking this course should write code using at least one programming language and read codes written in different programming languages. To illustrate, if you are having trouble reading code written in Java or adding some code caves to a project is a time-consuming task for you, you should wait a little longer for the course.
If you are looking for an advanced web app pentest course, you may want to consider this course. You have the option of taking this course in two or three months. If you are confident about web application security and your workload allows you, you can access a 2-month lab environment for $1299. If you want 90 days of access, you need to pay $1499.
We recommend the 90-day course to take thorough efficiency of the perfect lab environment which Offensive Security has developed for this course; if you are actively working and can devote very little of your time to the course.
Finally, this course can be taken not only by those working on offensive web application security but also by web application developers (software engineers, full-stack web developers, etc.) who want to learn their code's security. In both the course material and lab environment, you will read a lot of code. With the combination of this working style that web application developers are used to and the depth of cybersecurity research, we can conclude that an enjoyable and challenging course has emerged.
Advanced Web Attacks and Exploitation (WEB-300) course focuses on white box web application penetration testing methods. Most of your time will be spent analyzing source code and using tools such as Java decompiler, DLL debugging, request manipulating, Burp Suite, dnSpy, JD-GUI, Visual Studio. The training videos are up to date (updated while we take the course). The course contents (video and pdf documents) are enough for you to comprehend the subjects, prepare for the exam, and solve the lab environment questions. If you follow the training content and solve the lab questions without leaving a subject that you do not understand, you can pass the exam easily.
Also, there are extra miles in this training lab environment, which are not explained how it is done in the documents given to you. You have to do these miles yourself, but you can discuss them on the forums if you need help. Frankly, this is up to a point. As with any offensive security courses, you are on your own.
Some of them are:
The exam is scheduled for 47 hours and 45 minutes. During this time, proctors assigned by the Offensive Security company would be able to monitor your machine and you. 15 minutes before the exam starts, the proctor assigned to you will check the requirements to be eligible for the exam. Since these procedures can take up to 15 minutes, we suggest setting up the test environment and requirements ahead of time. Furthermore, there should not be any electronic equipment on the table where you will take the exam.
In total, there are 5 separate machines in the exam. 2 of these machines have local.txt and proof.txt files. You need to get them and your reports.
The other 2 are machines are exact copies of the first 2 machines, where you can perform debugging operations. Therefore, the credentials of these 2 machines are shared with you, and you can do white-box pen-testing. The last machine is the Kali Linux machine that you can use if you want.
Except for the Kali Linux machine, other machines have web applications written in different programming languages. You are expected to examine the web application source codes using two debug machines, identify specially placed vulnerabilities and write the exploit code. Using the exploit code prepared, you have to exploit machines and read local.txt and proof.txt files.
Each machine consists of 2 stages. In the first stage, you need to access and read the local.txt file using authentication bypass vulnerability. In the second stage, you need to read the proof.txt file with the remote code execution vulnerability. Authentication Bypass operations are evaluated with 35 points, while Remote Code Execution operations are evaluated at 15 points. The minimum score to pass the exam is 85. It is also necessary to write a single exploit code that reads local.txt and proof.txt for at least one machine.
It is strictly forbidden to use any source code analysis tool, vulnerability scanning tool, or automatic exploitation tool in the exam. Operations are required to be completely manual. The ysoserial tool can be used for deserialization.
You must be ;
It would help if you had a thorough understanding of the web application vulnerabilities explained in the lab environment.
Despite a rough preparation process, the OSWE course was a training that our experts liked very much for its content and contribution to our team. Thus, as the S4E team, we recommend the training. After the training, you will gain a different perspective. If you want to make preliminary preparation before purchasing the training, we share some links below.
We also provide you with a few reviews for you to read before taking the exam. As the Security For Everyone team, we wish you success in your exam :)