As promised on Twitter this post will document my steps through the OSWE exam preperation.
Searching for available study material
After some google action i found some useful stuff
- AWAE-PREP – GitHub Repo
A lot of trainings, courses and other random stuff for the AWAE preperation. - OSWE – GitHub Repo
Additionall sources about the vulnerabilites and exploits within the AWAE course material. - OSWE Preperation – YouTube Playlist
I found a lot of interesting videos about Deserialization (important topic!), so i created a small playlist on my YouTube Channel.
Step 1: The Plan
I decided to follow the training order mentioned in AWAE-PREP because it seemed logical considering the AWAE course material.
Step 2: Start
Javascript
I started with the Javascript for Pentesters course on Pentester Academy. I learned some useful stuff to create even more customized XSS Payloads with fancy functions xD. Some examples are Multi-Level JSON/XML/HTML Parsing, CSRF Token Manipulation, Posting/ Fetching XMLhttpRequests or Stealing data from fields with autocomplete.
SQLi
I also ordered a awesome book about SQLi. So far i have only read 50 pages but i highly recommend this one! You will learn the very basics of most SQLi vectors and sharpen your skills for more sophisticated attacks! I will add more information when reading further 😉
Random Stuff
- https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
- https://github.com/qazbnm456/awesome-web-security/blob/master/README.md#practices-application
- https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md
- https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
- https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/
- https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
Loading…
This post will frequently be updated, so watch my Twitter Feed or visit this page again 😉
As always, every feedback is very welcome (please via Twitter)!