g0lden's OSWA Thoughts!
My OSWA Review/Journey
Hi everyone! Offensive Security recently released their new web security course, web-200. This course finishes with an exam that, when passed, earns you your Offensive Security Web Assessor (OSWA). This course is very new, and I don’t see many reviews out for it, so I figured I would put my thoughts out there.
What Content is in Web-200?
The web-200 course is supposed to be OffSec’s beginner->intermediate web testing course. Unlike web-300 (OSWE), this course is all black box testing. This means that the course will teach you how to look at a web application without seeing the code. The course teaches topics like XSS, SQLi, Directory Transversal, etc. The entire course syllabus is here.
What Should I Know/Do Before Taking the Web-200?
This course is listed in the 200 level courses as an intermediate level course, and I agree with that rating. The topics covered are not too complicated if you have some history in web penetration testing. This course also really does not go into too much advanced tactics, such as encoding or using null-bytes to bypass WAFs. There is mention of it in the course, but only to mention that those type of attacks would be the next step. I would recommend this course for anyone with minimal experience in web security testing, all the way to someone with much more experience.
My Personal Experience with the course
This is where I have to be brutally honest. This is my third course/certificate I have from Offensive Security, and I would have to say that I think that web-200 and the OSWA exam was my least favorite experience. Now, I don’t want that to be mistaken as me saying that it was the hardest, because I still think the OSWE was a more difficult test. But this course really seemed to be thrown together way too quickly, with very poor support, and not enough practice resources. The “exercises” in the course seem thrown in, and I would argue that there were a lot that didn’t make much sense or could have been better. Also, there are enough lab machines, but I think the difficulty of a few leave some to be desired as far as practice. The lab machines seemed to just be difficult in the way that they make you waste a lot of time finding hidden pages, and less time finding vulnerabilities. The “support” of the course is what I really had the biggest issue with though. First, if you have a question, you are WAY better off just politely asking other students or DMing people. I asked so many questions in OffSec’s new discord channel, and if another student didn’t answer me, I just never got an answer half the time. The biggest problem with the discord support channel though is ALL THE EXERCISE/LAB SPOILERS! It is so frustrating going into the discord with good intentions to help other students with questions, and accidentally having my next lab box spoiled for me. And to the time of writing this OffSec has not done anything to delete/stop these spoilers. So if you want to actually attempt the labs without spoilers avoid the discord! Even though there were these issues with the course, I think the actual CONTENT they had in the course was still very good content. Just the way they used it was questionable (again, personal opinion).
Tips for the Exam
Just like every other OffSec exam, the exam sticks only to what is on the course/labs. So that is what you should be studying. Obviously I highly recommend finishing all of the ‘extra mile’ exercises and every lab machine. During your time doing the lab machines come up with a good “workflow” that works for you. There should be a healthy mix of content discovery, parameter gathering, and exploitation fuzzing/testing. This is what OffSec themselves recommend, and it will make sure that nothing slips through the cracks. During the exam it is important to remember that mentality is everything. If you get stuck and find yourself thinking, “I just can’t find anything I have looked at everything, and I tried everything”, THIS IS A MENTAL TRAP. Take a break, clear your head, and start over. Also a huge thing to remember with web applications is that they are built to do specific things. So when you are clicking through the applications, really be thinking, “what is this web app trying to do, and how could I make it do something else?”. In my opinion this exam is more a mental game than either of the other two that I took!
Thanks for reading! Connect with me! Thanks again for taking the time to read my review! Feel free to reach out with any questions, otherwise please connect with me on any of the platforms on the bottom left!