Advanced Web Attacks and Exploitation (WEB-300) Review
What is the AWAE?
Advanced Web Attacks and Exploitation is a course by OffSec to help you develop your exploitation skills in web application penetration testing. This is a course that heavily focuses on white box testing so if you are interested in improving your white box testing skills, this is the course for you. This is a advanced course so you are expected to be familiar with various web technologies as well as basic scripting skills. This is not a course for you to learn the various web vulnerabilities out there, there are many other alternatives like Portswigger Academy. So do check it out if your aim is to learn and be exposed to different types of web vulnerabilities.
Why did I take the AWAE?
I took the AWAE as I wanted to improve my skills on exploiting vulnerabilities in web applications. I also wanted to learn how to do white box testing after learning it from a theortical perspective. Another factor that pulled me to take it was the appeal of the OSCE3 certification, tt seems like it is working on me :P.
Course Overview
The course takes you through a series of case studies. In these case studies, you will learn various type of vulnerabilities and how they were discovered from a white box tetsting point of view. It is very comprehensive as they guide you through these case studies step by step. From there, you would also learn how to create your exploitation script from scratch, this is mainly done in Python.
Lab Environment
The lab environment was great and stable. I didn’t have any issues with it. Each case studies have their own lab setup. There are also challenge labs where you could put the skills you have learnt throughout the course to the test. I really enjoyed doing the challenge labs as it allow me to see the bigger picture. There were some moments where I was very confused while going through the material but I only understood why it is taught in that way when I attempted to do the challenge labs.
Exam
The exam is a 48 Hour Practical Exam where you have to fulfill certain objectives. Passing it will grant you the OffSec Web Expert (OSWE) certification! While I can’t say much about the exam, what I can tell is that everything tested can be found within the course material. The exam is doable if you understood the vulnerabilities that were taught in the course. You would also need to learn how to chain vulnerabilities so always think about what is the vulnerability at hand and how it can lead you to fulfilling the exam objectives.
I reached passing score at around the 30 Hours mark!
Pros & Cons
✅ Pros:
✔ Excellenent Case Studies with each introducing a particular type of vulnerability.
✔ Course taught with a focus on White Box Testing
✔ Learn how to chain various vulnerabilities together that can lead to authentication bypass or even Remote Code Execution.
❌ Cons:
✖ Pricey, 90 Days of Lab Access + 1 Exam Attempt cost around US$1749
✖ Not for learning the various typees of web vulnerabilities, there are better resources such as Portswigger Academy.
Should I take AWAE?
Take it if you see yourself doing white box testing or source code review. If you are more familiar with web application pentesting, then I would recommend taking it to challenge yourself!
Is the OSCP needed to take this course?
While the skills learnt in OSCP may help, I feel it is not necessary to take the OSCP before attempting the OSWE exam. With that being said, one should already be familiar with the common types of web vulnerability out there such as XSS, SQL Injection, LFI…
Final Verdict
🔥 Rating: 8/10 🔥