OSWE Prep
Sharing my own personalized roadmap based on my current skillset to prep for OSWE.
Overview
As I am still pretty new to pentesting in general, I have decided to pursue OSWE (Offsec Web Exploit) partly because my company is able to support me and I want to gain more knowledge in Web apps. My work also have a lot of Web app pentesting and source code review projects so OSWE is the logical next step for me.
I have gone through the OSWE syllabus it need me to have knowledge of different web exploitation, scripting and comfortable reading source code in different programming language. I only have limited experience in web exploit and familiarity with Python and limited experience in reading source code.
With that, I begun scour the internet and read about different OSWE review and most of the them recommend to at least know how to read and identify the code and create a script to exploit it.
With OSWE one have to focus on identifying vulnerability and script it, not stuck on how to write the code during the exam. So I will need to have some kind of boilerpate code that I can use during exam to save time.
With my current experience, I have a lot to cover, specifically:
- Scripting in Python
- Advanced knowledge in web exploits
- Source code review
With Python scripting I only have the fundamental knowledge as I’ve gone through the course on boot.dev which is an amazing resource btw to learn how to code.
And for web exploitation I only have the experience in doing all the past labs on HTB and PG during my prep for OSCP so my exposure is still quite limited. For source code review I’ll need to learn how to read different programming language.
From what I gathered for OSWE reviews, I’ll need to know how to read:
- Java
- JavaScript
- PHP
- Python
- C#
- .NET
The Plan
With that said, I decided to do the labs on Burp Academy because I’ve heard a lot of great thing about it and I could use a refresher on web exploits as well. One bonus point it is free too!
After manually solve the lab, I will also create a autopwn script that’ll solve the lab from start to finish. The script won’t be pretty, probably not following the best practices as well. If there’s anything that I can improve, please let me know by reaching out to me on Discord.
To be honest, creating a script on the labs sounds very intimidating as I don’t really know how to write it but this what it take to the next level.
I am also excited to learn how to create my own scripts as during my OSCP prep I always used those POC scripts and I was always impressed by the people who made them to exploit certain vulnerability. This time, I’m gonna be the one making them.
After Burp Academy I’ll probably do some code review lab for 1~2 months before activating OSWE lab for 90 days. Still haven’t decide which platform for code review yet so for now will just go through Burp Academy and scripting.