From AWAE to OSWE: The Preperation Guide

As promised on Twitter this post will document my steps through the OSWE exam preperation.

Searching for available study material

After some google action i found some useful stuff

• AWAE-PREP – GitHub Repo
  A lot of trainings, courses and other random stuff for the AWAE preperation.
• OSWE – GitHub Repo
  Additionall sources about the vulnerabilites and exploits within the AWAE course material.
• OSWE Preperation – YouTube Playlist
  I found a lot of interesting videos about Deserialization (important topic!), so i created a small playlist on my YouTube Channel.

Step 1: The Plan

I decided to follow the training order mentioned in AWAE-PREP because it seemed logical considering the AWAE course material.

Step 2: Start

Javascript

I started with the Javascript for Pentesters course on Pentester Academy. I learned some useful stuff to create even more customized XSS Payloads with fancy functions xD. Some examples are Multi-Level JSON/XML/HTML Parsing, CSRF Token Manipulation, Posting/ Fetching XMLhttpRequests or Stealing data from fields with autocomplete.

SQLi

I also ordered a awesome book about SQLi. So far i have only read 50 pages but i highly recommend this one! You will learn the very basics of most SQLi vectors and sharpen your skills for more sophisticated attacks! I will add more information when reading further 😉

Random Stuff

• https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
• https://github.com/qazbnm456/awesome-web-security/blob/master/README.md#practices-application
• https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
• https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
• https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/
• https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
• https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet

Loading…

This post will frequently be updated, so watch my Twitter Feed or visit this page again 😉
As always, every feedback is very welcome (please via Twitter)!