OSWE Review - A return to roots
At the start of December 2022, I enrolled into the Learn One - OSWE package and I started on it immediately to make use of the holiday season downtime. By March 2023, I successfully cleared the OSWE exam with full points. As opposed to my OSEP experience, this one was mostly solid but that is likely in part of my background and future goals.
My Background
I have been working in IT for about 6 years, and half of those as a pentester working mostly on web applications. Before that I worked in other various IT roles that required writing code on an almost daily basis, but I have never been a full time software engineer writing enterprise code.
However, I have been building small applications and scripts for years. Generally, I build about 2-3 of those/year, which can sometimes be just an API endpoint, sometimes a bot like UMP9. My discord buddies also love breaking everything I make, so I also have some experience tracking down and fixing functions across a codebase.
Overall, I have a mix of both dev and web experience accrued over the years which does put me in a favourable position to tackle the OSWE exam.
The Platform
This has been improved since my OSEP review, but I’ve still had many issues with the VPN randomly disconnecting, timing out and breaking in some other way and requiring some intricate fix or help from Offsec support to fix it. Box performance has also been mostly good, with just a handful of targets being very slow. PDF and video downloads worked on day 1. Uptime was 90%+, which is still not ideal, but better than the 50% OSEP uptime. Overall, I would like to congratulate Offsec on mostly fixing their issues. The web platform itself is still really slow, frequently disconnects you and every time I open a new page I have to wait for the bloody 10 second gif to play. Baby steps, I suppose.
The Content
The OSWE PDF is almost 600 pages long and is split into 14 chapters, out of which 3 are just fluff. The Offsec web platform has another retired chapter that I think is still worth doing, which leaves us with 12 actual chapters. These chapters cover a variety of web vulnerabilities in older versions of open source projects, focused either on authentication bypass or remote code execution. The full syllabus is available here. The videos and the PDF cover the same topics but the videos will have more elaborate demos of the commands being run that might be missing from the PDF, so refer to them if there are some sudden jumps, especially while debugging.
The quality and pace of the course fluctuates a lot. The newer modules (from 2020) are much more polished, better explained and in higher resolutions, while some of the old ones are very lacklustre. The deserialization module is both poorly explained and the videos are in a crispy 480p resolution that looks like it’s been through too many filters, but that is about as bad as it gets. The rest of the modules are on a scale between these 2 extremes.
The major downside is that every single module tackles a large open source application or library. This can feel very overwhelming at first when a module starts with “on line 300 in file X…” and you realise that there are hundreds of thousands of lines of code in the application. This pace does not slow down until the challenge boxes, but you do learn of certain methods to refine your searches and make sifting through large codebases more manageable, which I think are very valuable.
Offsec has this strange obsession with being overly academic in the way they teach, which would be better suited if the final exam was a month long thesis like project and not a 72 hour sprint. Their courses are a marathon but the exam is a sprint, which strikes me as a heavy handed dichotomy. For that reason, I would really recommend also going through PortSwigger Academy Labs as additional practice. PortSwigger does not provide the source code, but the performance and flexibility of their labs is much better.
The extra miles are where the meat of the course is, and I would really urge everyone to do them all, at least until the blackbox chapters. They force you to think outside the box, really understand the material and write exploits and payloads that you can reuse later in the exam. There are a lot of them (30+) and while some will take just minutes to complete, many will take you days or more. Do not get discouraged and feel free to seek help in the offsec discord. The Student Admins are pretty slow to respond, but many other students will be more than happy to help you.
To close things up, I think Offsec does a fine job at teaching useful and interesting material in a relatively in depth way, but for someone like me who has been routinely in Port Swigger’s hall of fame and sometimes even in top 10, I felt like they could’ve done more. It’s still a good course, just in dire need of some polishing and revision.
The Labs
The labs are pretty solid. There’s one box for each chapter, with a few of them needing 2 boxes to fully complete an exploit. You get full root/admin credentials for all of them so there is complete transparency for what happens under the hood. You are encouraged to turn on logging and set up a debugging environment, but everything else is up to you.
The age of the course once again makes itself present, with many of the older modules encouraging you to use arcane grep commands or download the code locally instead of operating on the target host itself. While I still think that these commands and tricks are useful to know, don’t hesitate to bust out VS Code to help with analysis. Performance was largely solid outside one or two hosts.
Overall, the lab is solid, if a bit overwhelming. I wish Offsec would’ve used small, custom apps instead and then have links to the same exploits applied to open source apps, at least in the starting modules.
The community
The Offsec discord has a wonderful community with a few bad apples. I am genuinely baffled by how they managed to attract such a community while being indifferent and borderline hostile towards it, especially after laying off two of the server founders and most public faces of Offsec, FalconSpy and TJNull. Regardless, if you only stick to the relevant course channels, you should have a good time and only run into wonderful people. I would like to particularly give a shout-out to ApexPredator, who has been kind and patient enough to help me with the extra miles and challenge boxes throughout the course and gave me just enough hints to overcome all challenges. He is a wonderful and positive person.
Post course prep
After I completed 90% of the extra miles and the two whitebox challenge boxes, I decided to skip the blackbox one and look for other more suitable practice targets. I started with SecureCode from VulnHub, which I think was excellent practice and pretty close to the challenge boxes. I have also watched videos or read write ups for all the boxes in TJNull’s OSWE list
The crucial aspect was going back to all the modules of the PDF and preparing generic code snippets for the exploit taught in the module, as well as alternatives. For example, if the SQL Injection taught in the module was in MySQL, I would write a function to perform the injection and one to loop through characters, and then also do it for PostgreSQL, MSSQL and Oracle. You can find a cheat sheet for how they all work on Port Swigger’s website
I cannot stress enough how crucial this step is. You are very pressed for time in the exam, so being able to copy paste code and just make a few changes will save you hours of frustration. Approach this exam like Batman, with a plan and an impressive and borderline paranoid toolkit.
The exam
I was scheduled to start the exam at 10 AM local time. After a few delays and issues with the proctoring software, I managed to actually start the exam at about 10:30. Make sure to also have a photo of the ID on your desktop because, if you have a $10 webcam like I do, it will struggle to capture details or focus on the ID with light reflecting off it.
I have approached the exam using a blackbox mindset. I looked around the web app for interesting features and then I went to check the source code to see if they’re exploitable. I picked my first target at random and only realised that there are more after I read the exam pass requirements. Fortunately, I have picked the more intensive target first and I was able to also look through the other targets while testing exploits against it. After about 6 hours which also included a quick lunch break, I was able to secure the first flag, which I decided to automate immediately in order to not lose track of the process later, which took me about 1 hour. Another 4 hours later, I found the next flag too, but the automation process took much longer, about 3 hours. In 14 hours I had gotten half the flags required and I was getting ready to go to bed but decided to have another look at the next target. Through a flash of inspiration, I managed to spot and trigger the exploit in about two hours, and then I decided to call it a day and went to bed to sleep for the next 8 hours.
Day 2 started around 9 AM. I retested the exploit and then spent the next 2 hours automating the vector. About 24-25 hours in and I had enough points to pass which was a massive boost in confidence. I spent the next 6 hours finding and automating the last flag, granting me full points for the exam in just around 30 hours. At this point, I tried to get a full night of sleep but worries about the report stopped me from getting more than 4 hours of tortured sleep so I was back early to start working on the report. The requirements for the report are quite strict so I recommend reading them very carefully whenever you have some downtime.
I ended up going back to the codebase for some additional screenshots, although they were mostly for my peace of mind. At the end of the 48 hours of the exam, I had a solid draft of the exam report ready. 8 hours and a few revisions later, I submitted my report, totalling at almost 100 pages. Likely overkill, but it was the only thing I could do to abate my anxiety. About 26 hours later I received the much awaited email with the pass.
Overall, the exam felt fair despite a few rabbit holes. The benefit of whitebox analysis is that you can clear our rabbit holes pretty quickly. The debugger hosts tend to be really slow, which isn’t an issue if you are just reading the code but can be a proper pain if you are trying to run a debugger. The challenge boxes were a good preparation for the environment of the exam. Once again, I would really recommend taking your time with those, they each have two separate ways of solving them!
Conclusion
Is the course good? I would argue that yes, it’s largely good, just in need of some polishing. Is it worth $1600 or $2500? That is a much tougher sell. The level 300 courses are clearly Offsec’s more neglected children and the OSWE seems to be the redheaded stepchild of the three. There are not many courses in the appsec space because appsec is inherently difficult to teach without using a case study approach and most people who are interested in learning appsec will just use blog posts of CVEs in open source applications and then pull the vulnerable version down to retrace the steps. Web, on the other hand, is highly competitive with giants such as Port Swigger providing cheaper, broader and more effective training. The base course feels rather outdated and the new modules are just grafted on top of it.
I have enjoyed my time with the course and I feel like it has made me a better pentester and programmer, but that is because it covered a topic I am deeply fascinated by. If you are looking to move into appsec or just test your appsec mastery, then I would recommend it, just be sure to already have some experience and familiarity with the material first and bear in mind the caveats. If you are considering OSWE just because you have some training budget to blow or want the OSCE3, then I would not recommend it until Offsec revises and updates the course. I don’t think we should reward Offsec for material that looks like it belongs in 2016, or for their behaviour over the past 2 years for that matter.
I will not be doing OSED anytime soon, if ever. I have no real interest in it, and it would not be useful for my job. I have spent the past 3 years of my life grinding certs, got 7 of them, 4 of which were Offsec certs, and I think I am done for a while. The tech world moves too fast to be stuck in this perpetual grind and I think it is high time to put the dev and appsec knowledge I’ve gained over the years to actually put some actual content and apps out.
One final time, I tried harder. Now it is time for me to do more than just grind certs.
Extra Resources
https://portswigger.net/web-security
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet
https://github.com/ApexPredator-InfoSec/securecode1
https://github.com/ApexPredator-InfoSec/AWAE-OSWE
https://chat.openai.com/chat - Yes, chatgpt. While not allowed in the exam, it has saved me a lot of time when working with some new libraries.
https://github.com/swisskyrepo/PayloadsAllTheThings/
https://github.com/carlospolop/hacktricks/
Also consider trying some small scope programming challenges to get a better grip on writing and reading small applications.