Guest post contributed by Samuel Whang, OSCP. Originally published on Medium and re-posted with permission from the author.
After obtaining my Offensive Security Certified Professional (OSCP) status, I started searching for a direction. The most common advice that I’ve received from many professionals who are far more experienced than I am was to specialize in something because it’s difficult to be an expert at everything. The difficult part about carving out a direction for your career is getting exposed to the different areas of penetration testing. I decided to tackle Offensive Security’s Advanced Web Attacks and Exploitation (AWAE) course to figure that out. One of the main things that I was pleasantly surprised about was that the course doesn’t benefit strictly white-box web application penetration testers. The content is presented in a way where all penetration testers can greatly benefit.
It’s important to understand that AWAE is not a black-box web application penetration testing course. This is a white-box course which involves auditing large codebases. For those who recently obtained their OSCP status and are looking at AWAE to level up, the course and lab are not set up in the same format. While the Penetration Testing with Kali (PWK) lab is designed for students to apply their knowledge gained from the lab guide and supplemental research, the AWAE lab is designed to correspond with the lab guide to help students follow along closely.
I think the AWAE lab format works because it provides students the opportunity to understand what vulnerable code looks like, how to trace the code execution flow and to develop a methodology to find potentially vulnerable code. Similar to the PWK labs, supplemental research will be required in this course.
The content is provided in the form of case studies where the instructor walks students through the process of tracing code execution flow from the initial vulnerable code in the codebase. In the process of tracing the code execution flow, the instructor incorporates the various topics listed here:
ultimately chaining multiple vulnerabilities together that results in a shell.
In addition to performing the steps mirroring the instructor’s, students are provided with challenging “Extra Mile” tasks. These tasks require students to approach the codebase differently and create a proof of concept exploit accordingly.
Similarly to the PWK lab guide, the AWAE lab guide provides all the fundamental knowledge. It is incumbent on the students to develop their methodologies and go the extra mile to build proficiency.
As briefly mentioned, the lab environment corresponds directly with the lab guide. Students are expected to follow along with the instructor’s step-by-step guidance to understand the characteristics of vulnerable code and to understand the process of following code execution flow within the large codebase to ensure that the code is accessible.
The lab environment is also critical for reasons other than following the lab guide. The instructor does not necessarily demonstrate, in-depth, the methodology for approaching a large codebase to identify the initial vulnerable code. This is important to note because students are expected to develop their methodologies to quickly identify vulnerable code that is also accessible. With that, the instructor provides enough details to understand the types of things students should look for within a large codebase.
Although the obvious audiences for AWAE are security-minded web developers and web application penetration testers, this course is beneficial for all penetration testers. For those trying to find a specialization, this course is still worth taking depending on your level of comfort with reading and writing in various coding languages. Although the content is advanced, the course is presented in a way that allows students to apply the knowledge learned in most assessments involving web applications. Regardless of a students’ specialization route, understanding vulnerabilities is a requirement for penetration testers, which is one aspect that makes AWAE such an awesome course.
Written by Samuel Whang. Samuel is an OSCP holder and penetration tester. – @klockw3rk_
Free Download: Web Application Security guide