My OSWA Experience

Hi everyone! It’s been quite a few months since my last post on my experience with OSCP. Today I’ll be discussing my experience with the OSWA certification and its associated course WEB-200

Background:

I’ve been into IT for about 4 years now, 1 year of professional IT experience and about 7 months of penetration testing experience. I work for AWS as an IT Support Engineer and part time for Synack Red Team.

I’m in the final month of my Bachelor’s in Cybersecurity, which I’m excited to be done with at this point!

I recently obtained the OSCP after 90 days of prep back in July of this year, I took a short couple week break then dove into obtaining the OSWA certification. You can read more about my OSCP experience here https://medium.com/@zumyumi/obligatory-oscp-pass-post-1fff63c63b56

Course Preparation:

I didn’t do anything extra to prep for this course specifically, understanding JavaScript, HTML, and how browsers/websites work would have been nice to have before starting this course. Web developers would have an easier time, I think. You can just jump into this course with none of that experience, my OSCP training I think helped a little but honestly you don’t need it.

I thought the course was really fun and had a lot of interesting labs and challenges, during one of the challenge labs I forced myself to try to pull off a reverse shell with every machine and found it extremely difficult to do and led to me discovering a potentially new way to revshell with mako templating language.

Exam Preparation:

Complete the entire course, do all the labs, extra-miles, complete all the challenge labs twice. Do the challenge labs again after about two weeks and do not rely on your previous notes when you do it the second time.

Utilize PortSwigger as an extra practice tool to get better at the following things:

CSRF, SQLi, Command Injections, XSS, XXE, SSTI, IDOR, SSRF, CORS

https://emvee-nl.github.io/posts/OSWA-a-different-course-on-web-attacks/

eMVee has a lot of recommendations here as well along with a list of machines to practice your web application attacks and methodology against. I made good use of this resource and completed some of the machines referenced here.

I would also recommend joining the OffSec discord, I’m pretty active in there and there are many people you can ask questions or get help from regarding the content in the course, or even just general web-app questions.

The exam was pretty difficult for me, and I didn’t have a passing score until hour 23, I think that’s because I had a long break between when I reviewed the course material between when I took the exam. I think if I redid it I should have taken the exam after the second time I did the challenge labs. I didn’t sleep during this exam either but took frequent breaks to think about my techniques and strategies.

If you feel stuck on a box longer than a hour rotate to a different one, try to assign a priority of what could be the most likely vector and try all possibilities. Don’t be afraid of going back through your notes or relying on google search when you can’t think of something new. My report was 56 pages and it took me about 6 hours to write up as most of it was output or screenshots.

My Opinions:

I think the course is overpriced for what it is or how much content you get out of it. If an employer is saying they would pay or go halfies I would recommend taking it, it’s still a good course it’s just not long enough when you compare it to how long OSCP is. I will say that the first CVE I discovered was from the content I learned in this course so there is that.

If you want to be a bug bounty hunter or want to get better at web applications I recommend instead:

Bug Bounty:

CBBH (HackTheBox)

BSCP (PortSwigger)

Web Pentesters/AppSec SecEngs:

CWEE (HackTheBox)

OSWE (OffSec)

BSCP (PortSwigger)

Next Steps For Me:

I’m currently working on a fork of Tib3rius’s AutoRecon that will be better suited for OSWA with more functionality and automation designed for web application enumeration.

https://github.com/ZumiYumi/AutoRecon-OSWA