How does it feel to have passed OSWE in 2024?
My Experience
On the 24th of June, I received my OSWE certification from OffSec, formerly known as Offensive Security. It’s a solid certification for a web penetration tester position. Before I delve into the details, let’s start by discussing the key aspects of the course, my experience, and the exam itself.
To give you a sense of the course and the exam’s difficulty, here’s a bit of my background:
I’m a penetration tester with over six years of experience in cybersecurity. My primary focus is on web penetration testing, API penetration testing, and security code reviews. I hold several certifications, including BurpSuite Certified Practitioner (BSCP), eWPTXv2, eMAPT, eCPPTv2, and eJPT. In my free time, I enjoy playing on HTB, which I’ll mention again later in the text. Each year, I perform approximately 30 web penetration tests and assessments, most of which involve a white-box or gray-box approach (assuming that having only application credentials is considered gray-box). This includes technical reporting and supporting customers until all severe issues are remediated.
For a long time, I steered clear of Offensive Security certifications and courses. This was largely due to my personal encounters with what I perceived as an ‘OSCP-cult’ mentality, where individuals with these certifications seemed to have knowledge gaps yet an inflated sense of self.
Considering that the OSCP is regarded as an entry-level certification in work scenarios by many professionals and barely covers web, the pricing policy doesn’t seem affordable for beginners, and generally, it doesn’t appear to be fair enough.
At the same time, Offensive Security does indeed offers a certification that specializes in Web Security and is considered Advanced (OSWE) and since I recently found myself with the opportunity and time to give it a try. I decided to form an opinion based on my own experience, rather than solely judging the skills of other certificate holders.
First Encounter with OffSec’s Platform:
The platform is quite modern and offers a good user interface experience. It’s easy to find what you’re looking for. However, one thing I didn’t like about the platform is the short-lived session. Each time you log back in, you need to navigate back to the course, then to the module or lab. If it was a lab, you also have to check if it’s still active. It’s a bit of a hassle…
Despite this, the platform offers assistance on any step and moment of learning (except, “Extra Miles” — tasks supposed to be done without help), and has active and friendly community on the Discord server.
Learning Materials:
The arrangement of the learning materials is excellent. They start with the basics of using a proxy, debugging, decompiling, etc., and then move on to the main material. Each topic is independent of the others, so you can learn them in any order.
The learning platform provides materials in both text and video formats. You can also request to download the materials as a PDF.
A Few Additional Words on the Materials:
The course covers a variety of topics related to specific vulnerabilities. Some are common in real projects, while others are rare or have a very low rate of presence, and more importantly, of being exploitable.
Each topic starts at a beginner-friendly level, with OffSec explaining what it is and what you need to know to understand it. Then they provide step-by-step examples or scenarios of exploitation. Sometimes, reading these materials can be more challenging (it really depends on the writer) than watching a 10-15 minute video covering the same information. From my experience, I skimmed through most of the topics since I didn’t find much new information. However, even if you’re an experienced professional, you can still gain some insights on certain points that you might have overlooked or missed when learning the same topic on other platforms.
At the same time, the number of topics is limited, and some are repeated two or three times in different scenarios. This was a disappointment moment for me.
About the Exam:
There are already many posts on the Internet about the exam process. It’s quite standard for OffSec, but I think the proctoring is a bit outdated.
The 48 hours allotted for the practical part of the exam is a HUGE amount of time for the tasks, so you have plenty of time to rest, maintain a work-life balance, sleep, and eat. The 24 hours for the report is also more than enough. If you know what you found and can explain it, it’s a piece of cake. Especially because it’s not a real-life pentest report, but more like a walkthrough and reproduction steps. Just don’t forget to document all the evidence you find.
But one thing that really annoyed me was the environment LAGS. The RDP connection to the debug machines had a constant ping of over 140ms, and the RDP experience requires a lot of patience (or it can make you very mad). For a course and exam that cost as much as this one, it’s not the best experience.
Also, in my opinion, based on the applications given on the exam, the course seems to be outdated very soon. At the same time, it covers some things that will not become obsolete unless the technology or language changes completely.
Alternative/Additional Ways to Prepare Yourself
- First of all, I want to mention the main Hack The Box platform. Doing machines is good, but the great experience of the white-box approach can be found by doing web challenges. They are short, dedicated to one or several web problems, and all you have to focus on is the code and the application. Meanwhile, while old challenges might be super CTF-like, new ones are quite realistic, cover modern vulnerabilities, and dangerous code examples.
- But if a specialist lacks a strong understanding of the fundamentals and basics of web security on each topic, it would be better to start with the Portswigger Academy, and then switch to doing CTFs and challenges when you already have knowledge about the topic and need to master them in advance.
- I can also recommend doing code review challenges on the PentesterLab platform.
- And finally, Hack The Box Academy is another place to start with easy topics and end with sophisticated ones.
How to Prepare During the Course?
The best approach, in my opinion, is to note only the necessary and specific things such as certain steps, commands, insights, payloads, and patterns. If you find that you absorb information better from videos rather than text, go to the video section whenever possible, and then “refresh” what you watched by reading.
Engage with the labs and don’t overthink them when the lab is explained in the course. If you’re doing this for the first time, let the course guide you. But don’t forget to complete the tasks they offer. Going the extra mile can be fun, but if you find yourself stuck, it’s okay to skip and move on.
Write and save scripts you are asked to write during the course. Some code snippets might come in handy on the exam (of course, you’ll need to modify them, but at least you won’t need to write from scratch).
Primarily, ensure that you can complete the three labs that don’t have text material and are meant to be passed by a student independently. If you can do this, you can confidently assume that you’re prepared enough to schedule the exam and pass it. :)
Challenges Faced
The two main challenges I faced were missing the rule that payload generators can be used on the exam, and writing script.
Value and Application
Many job positions still prioritize certifications over experience, so having one won’t be superfluous. I indeed gained some insights and learned new things in several topics, and I appreciated a good explanation for one of these insights. It’s good to have, but not a “must”. Also, it will be beneficial for both employees and employers who get clients that require certifications and are less flexible. They may not know and rely on the “top Google results on what measures a cybersecurity specialist”, and we can’t blame them for this, because everyone wants to get the best experience and doesn’t want to be a victim of a fraudulent service.
Who is this Course For?
In my honest opinion, this course is for someone at the intermediate level in the web penetration testing area. It’s a great opportunity for them to confirm their ability to navigate and research large applications within a limited time period.
For people who regularly work with a white-box approach, it won’t be a problem to cover all the topics in few weeks in a relaxed mode.
Would I recommend purchasing it at full price? Maybe not.
There are other great platforms that offer amazing study materials, such as the Portswigger Academy, which covers MOST of the current web application security topics for FREE, and the exam costs only $99 at the time of writing this post, excellent choice for start, but the AWAE exam supposes you are already familiar with web and have plenty of experience. HackTheBox Academy is another great place, with a price of $1260 per year (which can be paid monthly) that offers the opportunity to learn a HUGE amount of information on MOST topics in cybersecurity in TOTAL (their CWEE is a great competitor to OSWE, in my opinion). They offer a lot of different practice in pwnage and code review, sophisticated technices, and hacking tips and requirements.
Also, cannot pass by the Pentesterlab platform, that has specifically code review challenges. Many challenges.
Buy it when your company supports this decision and encourages you to get the certification, offering their help. But if your primary goal is to gain knowledge and you’re spending your own money, there are plenty of opportunities to spend it more wisely.