awae / web-300 unused prep notes

Shortly after earning my OSCP I wanted to someday continue that push through the Cracking the Perimeter/OSCE certification as well. I never got around to it, and then OffSec retired that course while releasing AWAE(now WEB-300)/OSWE (and EXP-301/OSED), which I immediately also wanted to do. Part of my prep for a major certification is to Google up all sorts of reviews and posts about the certification and what other study materials and tips and insights other students found useful. This includes blogs, reddit posts, forum posts, and anything else that I could find or dig through. As such, I did plenty of this as preparation for the AWAE (WEB-300). I still plan to pursue this someday, but for now I wanted to share what I had compiled into my personal notes.

Some of these things I may have gained knowledge of through other less formal means over the past few years or just outright completed without really planning it, but AWAE is still pretty new and all of these resources are likely still relevant.

That said, never let too much preparation get in the way of getting access to the course and the labs for practice. You don’t just get sent off straight into an exam, and can always put that part off for later if some gaps in knowledge continue to linger.

Lastly, it should go without saying to click links below at your own discretion. All are external to this site.

My Goals

  • level up my hands-on web app pentesting
  • code review skills looking at vulnerabilities
  • writing exploits for web app vulnerabilities
  • actionable python (requests, etc)
  • learn much more about .NET, C#, nodejs, php, and some more on java…enough to feel comfortable reading source code and tracing requests and parameters
  • more familiarity with Visual Studio Code, debuggers

I do like to write out goals, as they do a few things for me. First, the goals help make sure I’m aligning my certification path and the preparation towards it with what I hope to get out of it. Second, it helps give me an idea what the certification path is all about, so that I can slot other possible preparation topics into it. In other words, managing expectations and summarizing the output.

This is my initial seeding of research and prep

Preparation Checklist

This is my reviewing of the above items and setting up some semblance of a plan. Considering what this cert is, I definitely don’t see myself signing up for this until the latter half of 2021. Worst case scenario, I am not entirely prepared, but sign up for the course anyway and either put off or fail the exam. Either way, I still come out of that with some learning, and extra time (and less stress based on deadlines), and a good idea of my next steps.

General things I need to do:

  • learn what MVC and OOP really mean
  • Python, writing small scripts to deliver exploits, handle requests <–should be comfortable with this
  • C#/.NET
  • nodejs/Javascript
  • php
  • java
  • learn debugging and decompiling tools, dnspy, de-gui
  • regex
  • more SQL injection
  • do various vulnerable web apps
  • Visual Studio Code
  • SublimeText
  • brush up on various in-scope web app vulnerabilities types
  • comfortable debugging the above on Windows and Linux, or at least aware of techniques

Actual things to do

Tools

  • dnSpy – .NET decompiler
  • Python requests and exploit building
  • de-gui for java?
  • use Visual Studio Code regularly (many benefits; hotkeys and debugging, going to modules/references)
    • leverage Visual Studio Code SSH extensions
    • understand the launch_json files in Visual Code
  • learn some SublimeText (for python)
  • Burp (set scope, intercept requests, manipulate requests…)

Languages / major themes / skills

General techniques to know about

Pre-course things to revisit before purchasing the course

  • read the footnotes and links, do the extra miles!!!
  • define a methodology: blackbox the app first, then white box source code (grep/ngrep?)
  • set up kali and note strategy
  • read offsec faqs and guidelines for course and exam

Lastly, make a list of things from the above to review halfway through the course, and another list to review before scheduling the exam.

Leave a Reply

Your email address will not be published.