Advanced Web Attacks and Exploitation (AWAE) by Offensive Security is an advanced certification course on white-box penetration testing of web applications. In this latter form of testing, the tester is given full access and knowledge for the target applications. This certification is ideal for those who want to get started in the field of web analytics and optimization. In this blog post, we will explore the basics of AWAE, from what it is and who it is for to what its requirements, prerequisites, and ideal preparation are.
What is AWAE?
Advanced Web Attacks and Exploitation (WEB-300) is a certification from Offensive Security that focuses on white-box penetration testing of web applications. The latter form of penetration testing means that the tester has full knowledge and access for the applications under testing. Applicants who complete the AWAE course and pass the exam will earn the Offensive Security Web Expert (OSWE) certification, validating their mastery skills in exploiting vulnerabilities in public-facing web applications.
How does the AWAE certification work?
To earn the AWAE certification, applicants must do the following:
- Register and complete the AWAE course: Applicants can start their training by choosing between these three options: NEW STUDENT, EXISTING STUDENT, CORPORATE/OTHER.
- Pass the AWAE exam: The AWAE exam is a 48-hour online practical proctored exam. Preparation for the exam includes AWAE training and recommended reading.
Who is the AWAE certification for?
- Experienced penetration testers seeking a more in-depth understanding of white-box web application testing.
- Web application security professionals.
- Web professionals working with a web application’s codebase and security infrastructure.
The AWAE certification can also be beneficial for those who want to get started in the field of web analytics and optimization and validate their hands-on penetration testing skills in public-facing web application vulnerabilities.
What are the AWAE certification prerequisites?
To successfully pass the AWAE certification exam, applicants should meet the following prerequisites:
- Comfortable reading and writing at least in one coding language.
- Familiarity with Linux.
- Ability to write simple Python/Perl/PHP/Bash scripts.
- Experience with web proxies.
- General understanding of web application attack vectors.
What are the AWAE certification exam requirements?
As part of their certification exam requirements, applicants must compromise several target machines following specific instructions and write a professional penetration testing report describing their exploitation process for each target, step-by-step, along with the issued commands and console output.
Documentation
As the AWAE exam documentation requirements are very strict, failure to provide enough documentation will result in reduced or no points being awarded. Also, once the exam report is submitted, it is final. If any screenshots or other information is missing, applicants will not be allowed to send them and these screenshots will not be requested by Offensive Security.
Proof files
The computers used for the exam will require applicants to retrieve their proof files. Failure to provide the required documentation or proof files for a specific certification exam objective could result in partial or no points being awarded.
Restrictions
The download of any application, file, or source code within the exam environment to an applicant’s local computer is strictly forbidden. The use of any of the following tools, features, or tasks during the exam is also forbidden:
- Source code analyzers.
- Automatic exploitation tools (e.g., db_autopwn, browser_autopwn, SQLmap, SQLninja, etc.).
- Mass vulnerability scanners (e.g., Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.).
- Features in other tools that are either forbidden or restricted during the exam.
- Remote mounting of application source code (e.g., using sshfs, sftp, etc.).
Exceptions
Applicants are allowed to use tools including Nmap (and its scripting engine), Nikto, Burp Free, and DirBuster, along with some payload generator tools such as msfvenom and ysoserial against any of the target systems.
What are the AWAE certification course main modules?
The AWAE course covers the following modules:
- JavaScript prototype pollution
- Advanced Server-Side Request Forgery
- Web security tools and methodologies
- Source code analysis
- Persistent Cross-Site Scripting
- Session hijacking
- .NET deserialization
- Remote code execution
- Blind SQL injections
- Data exfiltration
- Bypassing file upload restrictions and file extension filters
- PHP type juggling with loose comparisons
- PostgreSQL extension and user-defined functions
- Bypassing REGEX restrictions
- Magic hashes
- Bypassing character restrictions
- UDF reverse shells
- PostgreSQL large objects
- DOM-based Cross-Site Scripting (black-box)
- Server-Side template injection
- Weak random token generation
- XML external entity injection
- RCE via database functions
- OS command injection via WebSockets (black-box)
What are the AWAE certification key benefits?
AWAE applicants will gain the following abilities:
- Perform an in-depth analysis of decompiled web application source code.
- Identify logical vulnerabilities that many enterprise scanners cannot detect.
- Combine logical vulnerabilities to create a proof of concept on a web app.
- Exploit vulnerabilities by chaining them into complex attacks.
Final thoughts
The AWAE certification is a great way for penetration testers to validate their skills in white-box web application assessments. The course provides excellent coverage of the entire process, from identifying vulnerabilities through source code reviews to chaining them together into complex attacks resulting in remote code execution.
Contact us if you need help with your penetration testing project.