Background

I’m happy to announce that I’m also now an Offensive Security Web Expert (OSWE), and can perform Source Code Reviews! Or at least I think so after passing the exam :joy:

Got the required 3/4 flags in the end, scraping by a pass :sweat_smile:


Exam Experience

I was lucky enough to have my two exam machines be PHP and Java. Apparently there are different combinations which could catch people off-guard with unfamiliar languages such as NodeJS and C#.

I finished on-time, but completely missed the last flag. I went down several different rabbit holes and none of them were the vuln in the end :see_no_evil:

Reflection

I almost didn’t pass the exam because I went in pretty much blind. I did not know there were exam prep boxes (3 of the few outlying VMs in the spinup page) that mirror the environment and style of vulnerabilities that will be in the exam.

If you’re going for it I highly recommend doing all the prep boxes first!

What about FSWA?

Someone asked me and here’s my answer

  • OSWE:
    • knowing webapps better inside out - leads to better pwnage overall once you understand the vectors
    • source code review skill for delivering Secure Code Reviews as a service
    • if you wanna achieve OSCE3 , or just to flex on top of OSCP people
    • showing prospective employers yes I can at least do some code review
  • FSWA:
    • shows you have $$$ and dedication to the craft to put your time and money into it ??? I guess????
    • you want to head towards vuln research in the web space and look for high-impact server-side vulnerabilities
    • If you’ve done OSWE and want the next level up

Bonus note: Steven actually wrote some of the content for OSWE as well :D

Nifty features

  • the course material includes videos and PDF which can be saved for future viewing afterwards which is nice if you need to revisit specific concepts etc.

  • OffSec has a Discord channel dedicated for course students to ask question which a mod will jump in and help from time-to-time