It’s been a hectic few months but I’m happy to share that I have recently obtained the OSWE certification! I would like to share my experience with the course/exam and hope that those who read it find it useful.
The course
The course goes through various applications (syllabus) white-box style. Students are guided through finding and exploiting web vulnerabilities by analysing the source code of each application. No fuzzing or guessing is required.
I felt that some chapters of the course explained the concepts well and thoroughly, while others lacked finer details. One thing to get used to is that the applications studied are open-source and have very large code bases. It can get overwhelming at first but powering through is the only way.
The labs
Students can spin up instances of each chapter’s application to replicate the attacks taught. You have full access to the instance and are encouraged to set up database logging, debugging, etc. It gives you full transparency on how the application functions. I feel here is where the course really clicks as reviewing code alongside the PDF allows you to fully grasp the information. Another challenging aspect of the course materials is the “Extra Mile” exercises contained within the chapters. These exercises present additional questions related to the course materials, encouraging you to conduct your own research and analysis to find the answers.
After completing the course materials, students are also provided challenge labs to practice their source code review skills. I felt that the challenge labs were solid and provided great practice for the exam. It is recommended to complete the challenge labs without hints/help from Discord as it can be a measurement of how ready you are for the exam.
The exam
I started my exam at 10:00 AM (Malaysia time) and joined the proctoring session 15 minutes earlier. After validating my identity, I faced an exam environment that was unfortunately not ideal and quite laggy.
Nontheless, I went ahead and analysed the applications black-box style at first. I like to follow this methodology as I can map out endpoints present and check the relevant source code to verify if it is exploitable. This proved successful as I managed to obtain the first flag within a couple of hours.
The entire exam was filled with breaks every 2 or 3 hours, re-reading exam objectives, and wondering how certain portions of code were vulnerable. I highly recommend reverting each box before running your exploit as it ensures your exploit works. It will give you a peace of mind and confidence that it is 100% correct.
After the allocated time, I had enough points to pass the exam and worked on the report.
Tips & recommendations
This is the first time I sat for an almost 48 hour exam (47 hours 45 minutes). Staring at a screen for 2 days is not ideal, especially with the thought of possibly failing at the back of your mind. I encourage anyone to take breaks every 2 hours or so and reward yourself with a break once a milestone has been achieved. More often than not, something just clicks in your brain whenever you step away for a while.
Here are also some additional resources I did for practice/learnt from
The conclusion
As with any OffSec course, it may seem intimidating and scary from an outsider’s perspective. However, with enough dedication and effort, I believe it is manageable.
Overall, I liked the course and recommend it to anyone who intends to up-skill themselves in source code reviews. However, certifications are not the only way. Fundamentals do not change. I had some experience with source code review through CTFs which made the course easier to follow. Furthermore, web CTFs essentially provide what the course teaches - raw source code to be exploited.