OSWA (WEB-200) Experience
Intro – My Background & Recommended Prerequisites
Before enrolling in the WEB-200/OSWA course I had been a full-time penetration tester for almost 4 years with about 6 years total studying in the field of offensive security. I have been a Synack Red team member for 2 years and a Cobalt Core team member for 1 year. I am currently the Director of my employer’s Offensive Security Operations department. I mention this to say, I had a bit of an experiential advantage in pursuing this certification compared to a lot of certificate candidates who are new to the field. Throughout this review and within my GitHub repository for the OSWA I tried to think of what I would recommend to help someone new to the field obtain this certificate. https://github.com/machevalia/OSWA
If you are new to web application penetration testing, I would recommend that you take a few of the entry-level courses on https://w3schools.com for HTML, JavaScript, and XML just to understand basic concepts about them. To learn more about how web servers and applications work under the hood the best book I can recommend is The Tangled Web by Michael Zalewski - https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886 (You can find cheap used copies on eBay).
Course Overview
The WEB-200 course is the course associated with the Offensive Security Web Assessor (OSWA) certification. This is the equivalent skill level exam for web application penetration testing as the OSCP is for general network penetration testing. The course assumes you have some level of experience with using Kali Linux and its associated tools as well as a basic understanding of web applications. However, the course does provide a refresher for these topics although not much.
The following topics are covered during the course:
- Tool Introduction
- Cross-Site Scripting (XSS)
- Cross-Origin Attacks (mostly Cross-Site Request Forgery (CSRF))
- SQL Injections (SQLi)
- Directory Traversal
- XML External Entities Injection (XXE)
- Server-Side Template Injection (SSTI)
- Command Injection
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object Reference (IDOR)
- Challenge Labs
The course consists of many slides, example videos, and practical labs. The slides provide you with the theory behind a vulnerability and contextualize how the vulnerability can be used in the real world. Almost every section contains at least one practical lab to exercise your new skills. The video library that goes along with the slides helps visualize the information in the slide decks and helps those that need to see something done to get it.
The good:
- Almost all of the vulnerabilities are explained well and provide all the context and practice that you will need to find the vulnerability class in the real world as well as in the exam.
- The practical labs gradually increase in difficulty with some being almost laughable and some being difficult and frustrating at times due to their specificity.
- The challenge labs are more than adequate to prepare you for the exam. If you can do those without your hand being held then you’ll do fine on the exam.
- As a Director, I would feel confident in an employee’s abilities to enter the world of web application penetration testing after completing this course and obtaining the certification.
The bad:
- A few vulnerability classes are not as fleshed out as I felt they should have been. SQL injection comes to mind. I felt like it was just enough to get you introduced but not enough to make you proficient. Luckily, what you learn is enough for the exam, but I would recommend using some external resources where you feel like you want to know more.
- When I mention that some of the practical labs are frustrating, I don’t mean I was frustrated because they were too hard. They weren’t “too hard” they were too specific – in the real world, you could exploit a vulnerability in 10 different ways, but the lab is looking for a single method and won’t allow you to complete it until you find the specific way they’re looking for. “Try harder” I guess…
- Offensive Security has yet to add dedicated Provide Grounds boxes for WEB-200. There are several boxes that I’ve seen users in Discord mention are good for WEB-200 but there aren’t any dedicated to it, yet.
How did I study?
As I mentioned earlier, I came into this with prior experience, so this is a rough breakdown of what I did without too much detail:
- I read the course material thoroughly.
- I completed each practical lab multiple times, in as many ways as I could.
- I completed the Challenge Labs twice.
- I did not watch any of the videos
- I did not engage in any external practice or use other resources (no TryHackMe, PentesterLabs, HTB, etc.)
Overall, I put about 60 hours into the course material and labs over a few months if I had to put a rough number on it. I would take breaks of days to weeks in some cases between study sessions, but my major focus was on completing one whole section in a sitting.
I focused on taking notes on things I found interesting or unique about the labs because I thought they might raise their heads during the exam. I would recommend storing your payloads and notes along the way to refer back to during the exam.
Exam Overview
The exam is typical of Offensive Security exams – you have 23 hours and 45 minutes to complete the exam and 24 hours after that to submit your final report. (23 hours and 45 minutes because it takes 15 minutes to get checked in with your proctor, they subtract that time). You will be on a VPN and proctored for the entirety of the exam. The proctor can see you and your room via webcam as well as all of your monitors. Outside of checking in and out with the proctor you won’t even really notice that aspect so if you are nervous about it, don’t be.
The exam consists of 5 vulnerable sites which you must hack into to achieve user-level access as well as escalate privileges to gain administrator/root access. The way you will prove you achieved said the level of access is to submit a local.txt file for user-level access and proof.txt for administrator-level access. To pass the exam you must obtain 70 out of 100 points with each flag, regardless of level, being worth 10 points. Unlike the OSCP, there is no bonus for this course and exam as of yet.
Exam Execution
Read the exam AND reporting requirements before taking the exam. You will be required to meet meticulous standards for the report, and you can easily shoot yourself in the foot early on if you aren’t paying attention. I strongly recommend you read the requirements a few times just so it sinks in.
I started my exam at 10 PM on a Friday. I immediately went to bed and got up around 8 AM the next day to start the exam. During this time, I just let the proctor know I would be out of the room, left my VPN disconnected, and then let them know I was back and connected to start. This gave me until 9:45 PM to get everything I would need (11 hours and 45 minutes total).
To start, I fired up Burp Suite and created a project. I have a Professional license that I bought for my bug bounty projects. Professional has some advantages over Community. The main thing I would say in terms of the difference and how you should modify your actions if you are using Community is that you should be careful to get screenshots of requests/responses ASAP. With Professional I could easily go back to my saved project and find the request I was looking for; Community users will not have that luxury. Outside of that, you don’t need Professional for anything. The course prepares you to do the exam without it and I did all the practice with Community edition because I started studies before the exam’s release when we didn’t know if Professional would be allowed.
I then conducted all of my recon in parallel to make the most of my time. I took all of the output of my recon and placed it in OneNote which is my chosen note-taking tool. After, I reviewed all of the recon and decided where to start on each box. After about an hour I had the first three flags, all being user-level.
To start testing I recommend a method that I tell all new pentesters to help them ensure they don’t get stuck down a rabbit hole. Use the 3x3 and 5x5 methods. When I find something, I think is interesting I’ll spend 3 minutes trying 3 variations of an exploit I think it may be vulnerable to. I take notes and move on unless I am 99% sure that I am close. I do that and cycle through all the boxes and potential footholds so that I don’t get too micro-focused. Then I’ll go back to the areas that continued to look like they were promising after the 3x3 session. I now do a 5x5 session on those potential footholds where I’ll spend 5 or so minutes on 5 different techniques. I keep doing this type of cyclical rotation around targets and potential footholds until I find something and can work through the exploit. I find that this method helps me avoid boredom/frustration and keep an open mind.
By about noon I had gotten 4 flags – 3 users and 1 admin. I continued my cyclical testing with longer and more in-depth rotations until I had all the flags by about 4:30 PM. With 4:45 left on the clock, I went through all of my notes to ensure I had the full steps to reproduce with screenshots for each vulnerability and exploit. I cannot stress this enough – ensure you have it all before the clock expires or you terminate your exam. By 6:30 I had a basic rough draft of the report with all steps-to-reproduce and screenshots. I let the proctor know I would be terminating the exam and they walked me through shutting it down.
I woke up the next morning and knocked out the exam in the recommended Offensive Security template. Again, read the requirements. Offensive Security makes it clear that the report has specific requirements for content, formatting, and even naming conventions. If you fail to follow directions, you will fail the exam and they make that clear.
I submitted my report and received my results within 48 hours.
Things to consider for the exam:
- Take breaks – going for a walk helps clear the mind when you are stuck.
- Eat and drink – being hungry or dehydrated won’t help you so make sure you are taking care of yourself.
- Take more screenshots than you think you’ll need, save commands and tool output, and structure your notes as you go so that they are clean.
Final Thoughts
Overall, I was very impressed with the WEB-200 course. I think that it establishes a great baseline for web application penetration testers, and I would trust someone who masters the content of this course to start working in the field.