OSWE Course Review

Who do you think this course is for?

I would definitely recommend this course for anyone looking to further their web knowledge and code analysis skills. I had never done SAST before this course, as my job doesn't require much of it, although I did have a vast amount of practice with web application hacking. I had touched each of the modules at least once before in my life, so I knew what each thing consisted of, it was just a matter of practicing it some more and getting comfortable.

This course is not an entry course in any way shape or form. If you get this course, without having done any kind of in depth web research before, it is unlikely you will pass. This is due to the fact that SAST methodology is not the only thing required to pass; OffSec will expect you to know how to take a vulnerability, implement it locally for easier debugging, research and test what works and what doesn't, and then learn to turn it into an exploit. This kind of critical thinking is something that comes over time, with experience.

First Impressions

My initial impressions of the course were extremely positive, I did not expect the course to be so in depth when it came to the analysis of each web vulnerability. What I mean by this is that each vulnerability that has been addressed so far has had a perfect description and explanation to accompany it, massively helping me get a grasp of how to exploit each separate vulnerability (it personally helps me a lot to exploit something if I know how the exploit works).

Understanding where the vulnerability lies in the code is also something I was very impressed with in the course, I didn't expect them to show the code for each part that was vulnerable. As someone that has very little SAST experience, it was definitely needed, not only for exploitation, but also to facilitate the remediation of the vulnerability in the code.

Another thing that I noticed a bit later on was the way the labs worked. I wasn't aware of the "wiki" until quite a bit later, so it was a pleasant surprise to see that OffSec had made each credential and machine easily accessible to the student, with all the necessary tools available immediately. The only thing I would say about the wiki would to be to make it's existence a bit more obvious. As of right now, it's only mention appears in the end of one of the e-mails you receive upon starting the course. The wiki is essential to actually be able to use the labs, and replicate the exploits demonstrated in the course, so I think it should definitely be addressed properly and clearly.

Overall Course

Positives

Overall, the course so far has been extremely interesting. I personally had a decent amount of experience with each vulnerability shown in the course from previous research and CTFs, although I was still able to learn a lot on subjects that I thought I mastered pretty well. The things I have learnt definitely aren't minor either, they are things like bypass methods and obscure tools that I hadn't heard of before. Some of the mysql waf bypasses learnt even led to some further research based around how PostgreSQL works and some exploitation methods that will be released in an independent research project in the near future.

I also think that an environment where people can learn to master the skill of static analysis and exploitation was massively needed. I am glad that such a prestigious company has taken the lead and developed such an in depth course. They never fail to impress.

Furthermore, seeing how certain attack chains can be put together is not only massively interesting, but refreshing. As I previously stated, a course of this nature was massively needed as an industry standard, and no course that I have ever seen has had such a perfect explanation of how you can chain different vulnerabilities to maximize severity, with a personal favorite being the use of a CSRF to change the settings on the Atmail application, which then allows for the upload of a PHP shell.

Potential Improvements

No matter how perfect something is, there is always room for improvement, which is why I have included this section, based around some ideas that I think would contribute massively to the course, and it's potential to teach someone extremely useful skills.

One improvement that I think would massively help the courses students is the teaching of how to actually locate vulnerable code. I understand in the course they show some uses of grep and other tools, although as someone with very little SAST experience, it can be very intimidating for me to go into an application that has thousand / millions of LoC to locate a specific vulnerability, so some methodologies of how to review code and get a feel for where the potential vulnerabilities could exist would be extremely helpful.

Another improvement that comes to mind would be the implementation of certain applications that don't show you where the vulnerabilities are for the student to do in their own time, sort of like practice examinations. I know there are resources that people can go out and use, such as exploit-db to try and find CVE's that already exist. But something that could be adapted to specifically help the student prepare for the exam would be cool.

Exam

When talking to the OffSec community manager (TJ Null), I expressed certain concerns regarding the course. He simply replied with "I think when you take the exam you will change your mind", and oh my god was he right. The exam was definitely the best part of the experience, the vulnerabilities implemented into the examination were the perfect distance between out-of-reach difficulty and push-the-student's-knowledge. It was thoroughly challenging and enjoyable.

Furthermore the support from the OffSec team with any technical difficulties was fast, and almost effortless. They ensured I was following proper guidelines and referred me to the correct department if I was facing any technical issues such as connectivity problems.

There really isn't much I would change in regards to the examination process, I think the OffSec team got it pretty spot on with the whole thing.

Summary

Overall it was definitely an experience I will not forget, some of the most intense 72 hours of my life, but still thoroughly enjoyable. I think OffSec has hit the nail on the head with this course, and the improvements (if any) would be minor. The main thing I would like to see would be an app for the course where we aren't provided with the solution, and we need to develope an  exploit for it on our own (similar to how OSCP has the bonus exercises for the extra 5 points, this bonus lab to hack could also be used for bonus points).

I would like to thank OffSec for putting together such an amazing course an adventure. Couldn't recommend it enough.