Summary

The author shares their experience with the WEB-200 course and the journey to obtaining the OffSec Web Assessor (OSWA) certification, emphasizing the challenges faced and the valuable knowledge gained through multiple attempts at the exam.

Abstract

The WEB-200 course, provided by OffSec, offers foundational knowledge in web application assessments with Kali Linux, culminating in the OSWA certification. The author details their iterative learning process, which included comprehensive course materials such as video content and a 492-page PDF guide, and the hands-on experience gained from lab challenges. Despite initial setbacks, including two unsuccessful exam attempts due to various technical issues and a need for a deeper understanding of the course material, the author persevered and ultimately succeeded on the third attempt by refining their approach and ensuring a robust setup. The course not only prepared the author to tackle web exploitation techniques but also introduced advanced topics such as templating engine exploitation and advanced XSS techniques. The author recommends that future learners focus on the course content, maintain a simple approach, and thoroughly test their setup before the exam to increase their chances of success.

Opinions

The author found the course materials and lab challenges instrumental in building foundational knowledge for web application assessments.
Overcoming the initial failure in the exam required a review of course videos and a focus on aligning with the course content, rather than creating complex payloads.
Technical issues, such as a non-functional Python HTTP server via VPN and unresponsive web functionalities, were significant hurdles during the exam attempts.
A fresh Kali setup with the latest release was crucial for overcoming technical challenges and achieving success in the third exam attempt.
The author values the OSWA certification process for its rigorous preparation, hands-on learning, and the opportunity to develop expertise in web exploitation techniques.
The course's comprehensive syllabus, including topics like XSS, SQL injection, and SSRF, was praised for its depth and practical application.
The author advises future learners to pay close attention to the course content, adopt a straightforward approach, and ensure their setup is thoroughly tested before the exam.

My OSWA Exam Review — WEB-200 Foundational Web Application Assessments with Kali Linux

I recently undertook the WEB-200 course, which is designed to provide foundational knowledge in web application assessments with a focus on Kali Linux. The course culminates in the prestigious OffSec Web Assessor (OSWA) certification. I would like to share my learning experience and insights, as well as my exam journey.

Learning Experience:

Upon enrolling in the course, I was provided with a wealth of resources, including over 7 hours of video content and a comprehensive 492-page PDF course guide. This extensive material was instrumental in building a solid foundation of knowledge.

As I progressed through the course, I found that I had to revisit certain concepts and lab challenges several times to fully grasp them. The learning process was iterative, and I made it a point to reference multiple cases whenever I encountered difficulties in the labs or other related challenges.

By diligently working through the video content, lab exercises, and referring to the course materials, I was able to complete 90% of the lab challenges and felt well-prepared for the exam.

Exam Attempts:

My journey to obtain the OSWA certification was not without its challenges. It took me three attempts to pass the exam successfully.

In my first attempt, despite completing all the labs and learning modules, I received a disappointing score of 50 points. This setback prompted me to immediately review the course videos, paying particular attention to the areas where I had struggled during the exam. The lesson I learned from this initial attempt was to keep it simple; I had overcomplicated my approach by creating complex payloads. Staying aligned with the course content proved to be a more effective strategy, and I also found valuable exam hints within the course videos.

For my second attempt, I collected 60 points but needed just one more flag to pass. Unfortunately, I encountered a unique challenge related to my setup. I had used macOS for all my learning and labs and continued with the same setup for the exam. While my setup had been excellent for executing and performing tasks, I faced an issue during the exam where my Python HTTP server couldn’t be reached via VPN. Despite spending several hours attempting to resolve this problem, I made no progress. Ultimately, I informed the examiner and switched to a “Kali” machine, which allowed me to proceed. However, I encountered a separate issue where certain functionalities, like signing in and registering, were unresponsive, but this issue was unique to the remaining site. Despite a thorough review, no solution was found, and I was unable to progress further.

For my third and successful attempt, I decided to create a new Kali setup with the latest release. This time, I was able to overcome all hurdles and capture the required flags. I still used my macOS for performance reasons but switched to Kali when needed.

Some Information form Offsec Site give some overview of this course.

Benefits of taking WEB-200:

The WEB-200 course offers numerous benefits to learners, equipping them with essential skills and knowledge in web application assessments with Kali Linux. Upon successful completion of the course and exam, learners will earn the prestigious OffSec Web Assessor (OSWA) certification, a testament to their expertise in web exploitation techniques on modern applications. Here are some of the key benefits learners can expect:

Enumeration of Web Applications and Database Management Systems:

Learners will gain proficiency in enumerating web applications and become familiar with four common database management systems, a crucial skill for web assessment professionals.

Manual Discovery and Exploitation of Web Vulnerabilities:

The course empowers learners to manually identify and exploit common web application vulnerabilities, providing them with the hands-on experience needed to secure web applications effectively.

Advanced Cross-Site Scripting (XSS) Techniques:

Beyond the basics, learners will delve into advanced XSS techniques, going beyond the typical “alert()” and learning how to exploit other users through cross-site scripting attacks.

Templating Engine Exploitation:

The course covers the exploitation of six different templating engines, often leading to Remote Code Execution (RCE), a skill highly sought after in the field of web application security.

About the Exam:

The OSWA exam is a pivotal part of the certification process. Here’s what you need to know about it:

Proctored Exam:

The OSWA exam is proctored, ensuring the integrity of the certification process.

Preparation:

The WEB-200 course, along with its online lab, serves as comprehensive preparation for the OSWA certification exam. Learners can expect to be well-equipped with the knowledge and skills required to succeed.

- Learn More: To gain further insights into the OSWA exam, learners can explore additional information provided by the course, helping them understand the exam format, requirements, and expectations.

Prerequisites:

Before enrolling in the WEB-200 course, it’s essential for all learners to have completed the following prerequisite courses:

- WEB-100: Web Application Basics - WEB-100: Linux Basics 1 & 2 - WEB-100: Networking Basics

These prerequisite courses lay the foundation for a deeper understanding of web application assessments and ensure that learners have the necessary foundational knowledge.

Syllabus:

The course covers a wide range of topics, ensuring that learners gain a comprehensive understanding of web application assessments. The syllabus includes:

Tools for the Web Assessor - Cross-Site Scripting (XSS) Introduction, Discovery, Exploitation, and Case Study - Cross-Site Request Forgery (CSRF) - Exploiting CORS Misconfigurations - Database Enumeration - SQL Injection (SQLi) - Directory Traversal - XML External Entity (XXE) Processing - Server-Side Template Injection (SSTI) - Server-Side Request Forgery (SSRF) - Command Injection - Insecure Direct Object Referencing - Assembling the Pieces: Web Application Assessment Breakdown**

This comprehensive syllabus ensures that learners are well-versed in a wide range of web application assessment techniques.

Exam Retakes & Lab Extensions:

In cases where learners require additional lab access time or need to retake the exam, OffSec provides options through the OffSec Training Library. Here are the details:

- OSWA Certification Exam Retake Fee: $249 - WEB-200 Lab Access Extension (30 days): $359

These options offer flexibility and support for learners who may need extra time or additional attempts to achieve their OSWA certification goals.

Conclusion:

Despite facing challenges and setbacks, my experience with the WEB-200 course and OSWA certification was incredibly valuable. The course not only provided me with a solid understanding of web application assessments but also introduced me to new attack methods, encouraged out-of-the-box thinking, and improved my exploitation techniques from vulnerability identification to remote code execution (RCE).

In retrospect, I would advise future learners to pay careful attention to the course content, embrace simplicity in their approach, and ensure their setup is thoroughly tested before the exam. With determination and persistence, the OSWA certification can be achieved, opening up exciting opportunities in the field of web application security.

Reference:

HomePage | OffSec

Build cyber workforce resilience with our unmatched skills development and hands-on learning platform and library.

www.offsec.com

Pre Registration

Rigorous Learning Approach Provide the opportunity to acquire the knowledge, competencies, and skills to handle new and…