I recently took Offensive Security’s Advanced Web Attacks and Exploitation (AWAE) course and attempted the OWSE exam.
I successfully completed Offsec’s better known OSCP course last year which introduces you to penetration testing and offensive security techniques however with the AWAE course the focus is very much on web applications and the code behind them (which is er kind of explained in the title).
Having a development background, I wanted to know a bit more about what to look for when making and reviewing changes in code bases from a security perspective.
I’m not aware of much training being available in this space (pls add in the comments if you have come across anything good!) so decided to give it a go.
AWAE structure is very different to OSCP.
AWAE teaches you key concepts by walking through several cases studies of issues in real world applications.
One of the key takeaways I took from the course was how various smaller issues could be chained together to ultimately result in remote code execution (RCE).
You’ll be taught to script these exploits yourself with simple Python examples provided – sometimes in an incomplete state for you to finish off as a learning exercise.
A variety of applications and issues are covered in several languages and platforms including .NET, Java, PHP, Node and Python.
At the end of the course there are two (White-box) and 1 (Black-box) machines with no instructions/solutions to give you a taste of what’s to come in the exam (given the code focus of the course I’m not sure why the Blackbox machine was thrown in there but hey its there if you want to play with it).
I liked how the course taught key concepts with real world examples although some of the examples felt a bit dated. Having said that the concepts are still very relevant so guess it’s ok just might have been nice to see something newer and maybe a bit less PHP (yes you can certainly have two much of that IMHO).
Its worth noting that I understand there’s been a recent update to the course with additional content around server-side request forgery and some other items added (I had the version prior to this).
The exam is 48 hrs to review and bypass authentication mechanisms and then obtain RCE on applications you haven’t seen before – oh and you also have to script your attack end to end and write a report about it (you get another day for the report bit).
For writing the exploits you can use any language but you’ll probably end up using Python. I have a .NET/C# background but Python is so easy to pickup, use and has a heap of great libraries it’s a no brainer in my opinion.
The exam is tough and stressful.
To give you an idea of how tough this exam is (or possibly where I am skill-wise currently) I began the exam at 09:00 and finally found one of the authentication bypasses 13 hrs later at around 22:00. Annoyingly I’d actually spotted this earlier too..
I had RCE on the box midnight and the whole attack scripted about 00:30 before going to bed around 01:30 after I’d written the process up.
The second day I didn’t find anything useful at all and unfortunately, I couldn’t complete the other items I needed which meant I didn’t pass the exam this time – I’m still wondering what I missed.. 😦
- The most challenging part by far is finding the damn authentication bypass/initial foothold!
- It took me too long to find the issues and i’d have a much better chance at passing if could improve my methodology/spot these issues quicker – I suspect you need to train yourself to spot these
- Once you find the issues things can turn around very quickly so don’t get disheartened if you haven’t found anything for a long time
- Reading code in unfamiliar languages and frameworks whilst tired really ramps up the difficulty!
- For those with a dev background coding the exploits was straight forward (probably the easiest bit for me) and I practised various approaches with my own https://github.com/alexmackey/hackthecat node app which gave me some good templates to use
- If you don’t pass it’s hard to know what to do to improve – I think probably the best thing is to go over the course notes again, complete exercises you missed and look at other real world issues and code
- I’d benefit from more real world security code review experience whether in day job or reviewing open source projects before tackling this again
I don’t like leaving things incomplete and not that I take a heap of certifications/exams but I think this is probably the first exam I haven’t passed (although my sociology grade wasn’t great going back to high school!).
For AWAE i’m of two minds whether I’ll retake it as:
- It’s 3 days long! For those with work and family commitments 3 days uninterrupted by kids etc is a fair amount of time and investment for something with no guarantee you’ll pass
- Seriously 3 days for an exam?! Reviewing code when really tired seems unnecessary, stressful and an unrealistic situation and you’ll feel smashed for a couple of days after (yes book at least 1 day off as you’ll need it)
- There’s a fair amount of investment needed in stuff that may not be that relevant to you. E.g. I think I would have been a lot quicker to find the issues with being more familiar with weaker languages or frameworks I don’t use
- I’m not sure how well known this certification is compared to say OSCP
I don’t have a heap of free time so I suspect I may now get more bang for my buck by working through some of Portswiggers great (and free!) workshops which whilst they dont focus on the code aspects are relevant and then see how I feel in a few months – at least when I’ve forgotten what a horrible experience that 48hrs was and want the challenge again!
This course is really good at:
- Demonstrating real world issues
- Showing how issues are chained end to end
- Improving your python and exploit writing skills
You’ll end up developing some kind of methodology/approach from the examples and challenges but I think this is an area the course could do better in and provide more guidance.
I guess locating the issues really is the hard bit in this field and it must be a tricky thing to teach but there is a massive difference from being taken through an example to finding a problem yourself – the course only provides two machines to practice this end to end on (I enjoyed and completed them both).
This will be a challenging course for those without a development background to understand the code and some offensive security knowledge/techniques are assumed (I was fine after learning these aspects in OSCP).
Those with a development background will find the code aspects for the most part trivial but will also likely pickup some interesting items e.g. I learnt some things you could do with debugging symbols in .NET I wasn’t aware of and some weirdness about PHP variable handling – that second bit isnt that relevant for me but it was interesting!
I completed the course and many of the exercises within 2 months with a full time job and family commitments so this should be do-able for most with other commitments unlike OSCP which will take over your life for a bit.
In summary I really enjoyed AWAE and learnt a lot from it. I would recommend it to other developers who want to know more about how attackers will exploit issues in code and what to look for however be aware this course has a bit of a gap when it comes to teaching methodologies to locate these issues.