If you've come across this post, you are probably wondering if the online version of the AWAE course by Offensive Security is for you. Like you, I had many questions when starting out and couldn't find the answers online. Now that I've spent some time with the course, I've posted them here in the hope that it might help you decide.

This is a work in progress, please reach out on Twitter @_davesatch if you have feedback or further questions.

What is the 'AWAE'?

The AWAE, short for Advanced Web Attacks and Exploitation, is a web application security course offered by Offensive Security - the team best known for their OSCP credential. Not to be confused with their AWE course, the AWAE focuses on offensive attacks against web applications and covers various techniques that can be used to exploit vulnerabilities in order to gain privileged access.

For many years the only way to attend this course was in-person at a BlackHat conference, where places sold out quickly. After a short beta period Offensive Security have recently released it online.

Who is it for?

Web developers with a security mindset and experienced web app penetration testers. This is not an entry-level penetration testing course. The exercises will require you to understand application logic flows, read, modify and, in some cases, write source code in Python, JavaScript, PHP, Java and .NET (C# and VB). It will also require you to write scripts that can be run from a Linux shell.

  • If you are a beginner looking to get into penetration testing or offensive security as a career, I would recommend you try the OSCP first.
  • If you are an AppSec engineer but found the OSCP to be too broad, this is probably what you are looking for.
  • If you are comfortable with source code and web application frameworks and are looking for a challenging deep dive into security, this may be a better place to start.
  • If you are thinking of using the OCWE credential to find a job, be aware that it is not yet known in the market and will not have the same hiring power as the OSCP, although it will give you some great skills to talk about in a web security interview.

Is it expensive?

It costs more than the OCSP, but a lot less than some of the other credentials on the market. Currently the course with 30 days of lab access will set you back USD $1400 including a single exam attempt, with more expensive options for 60 days (USD $1600) or 90 days (USD $1800) of lab access.

On average, an experienced web pen-tester with basic code experience will find this harder than the OSCP while an experienced web developer with decent security experience may find it slightly easier as it aligns better to their existing skills and experience.

Do you recommend it?

I do, but for two specific audiences:

  1. Those who have already got the OSCP, have spent time as a web application pen-tester and want to go deeper into the white-box / source code approach
  2. Those with a software background and a good understanding of the OWASP Top 10 who want a course that goes deep into a number of common security issues.

As a software engineer who focuses on AppSec I found this course more aligned with my skills than the PWK/OSCP. The focus is on a "white-box pen testing" approach that combine detailed source code analysis with a range of custom scripts that you will write yourself.

What is the 'OSWE'?

The OSWE, or Offensive Security Web Expert, is a new credential created by Offensive Security to align with the AWAE course. The exam has recently become available, and we know the following details:

  • simulates a private VPN with a small number of vulnerable apps
  • has a duration of 47 hours and 45 mins, with an additional 24 hours to submit a report
  • source code analysis tools and vulnerability scanners are not allowed
  • you will need 85 points out of a possible 100 to pass

Is the AWAE course similar to PWK/OSCP?

Not at all. In this course you will deep dive into a small number of older, vulnerable web applications instead of a network full of potential vulnerabilities. Unlike the OSCP, you are given access to the source code and various credentials for each of your target hosts and expected to perform white-box analysis to exploit the vulnerabilities. You will be provided access to a remote desktop with de-compilation tools and source code for you to use in performing the exercises.

There is no need for you to go out and 'recon' the target network. Instead, success in the labs will depend on your ability to dig deep into a single app, create in-depth scripts, de-compile source code and write code snippets that find, create or exploit vulnerabilities. In the labs 'root' is not the end goal - once you have it you will be expected to go back and find other attack vectors.

How is the AWAE content structured?

Like other online Offensive Security courses, you will be required to schedule a start date for your course and given a choice between a number of slots that begin on Sundays. Once your scheduled start time comes around, you will be sent an email containing details on how to access the:

  1. Course Materials - a link will be provided to download both a PDF workbook and a series of matching videos
  2. Lab Access - VPN access will be provided to a hosted environment containing 5 virtual machines; access will be provided for either 30, 60 or 90 days based on your payment option
  3. Exam Attempt - a scheduling link will be provided where you can select an exam slot to attend

The workbook largely follows a format that:

  1. provides an explanation of a particular vulnerability,
  2. provides code snippets that assist in the explanation,
  3. expects you to use the details to perform further research on your own to perform a series of attack exercises.

The topics start out light and increase in difficulty fairly quickly. You will build scripts to exploit basic vulnerabilities and then build on top of those scripts to mount more advanced attacks. The will also be 'extra mile' questions that offer little guidance and will require more in-depth research to complete.

An outline of the topics covered in the course can be found here.

Are the vulnerable apps and tools available online?

All the vulnerable apps provided in the course are freely available online, however some have been modified to support the contents of the course.

The scripts and example source code snippets provided as part of the exercises have been developed for the course and cannot be found online.

Some of the exercises use open source tools such as JD-GUI, dnSpy and the excellent Burp Suite.

What should I do before starting?

Skills that will help you to maximise your time in the labs include:

  • Comfort and competency with an interpreted scripting language that you can use to create and modify JSON data and make HTTP requests (many examples will be in Python)
  • Ability to understand and perform modifications to JavaScript, PHP, Java, C and C# code
  • Familiarity with the Burp Suite
  • Familiarity with debuggers and de-compilers for Java and .NET such as JD-GUI and dnSpy
  • Familiarity with Postgres and Postgres extensions

The basics of many of these topics will be covered in the course, but the expectation is on you to learn and understand them more deeply. I suggest investing time to be comfortable in each of these areas before you begin. This will allow you to maximise your lab time. You will find many of the example scripts will be provided in Python, however you can write your solutions to the exercises in another scripting language if you prefer.

Regardless of the path you take, expect to spend a reasonable amount of time 'digging deep' into online documentation and tutorials in order to complete the exercises.

Do I need to document my lab examples?

At this stage it doesn't appear that the lab examples will form part of the scoring process as it does in the OSCP exam. I still recommend recommend keeping detailed notes of the process, commands and scripts you use to perform the examples, particularly the 'extra mile' questions. That way you can go back and redo the exercises before the exam. It's also likely that you will end up writing a bunch of scripts and code that will be useful in the exam or even in the workplace after completing the course.

What is the difference between the OSWE and OSWP?

Offensive Security has another, similar sounding credential called the OSWP. This relates to wireless security testing and is not related to the material you will cover in the OSWE.