0x43434343 / awae_review Goto Github PK

INTRO

Advanced Web Attack and Exploitations (AWAE). It is a exploit development course based on Web. it developed by Offensive Security. The course was only offline at BlackHat conference for a couple of years, then eventually Offensive Security brings it online. See the syllabus to get more details. https://www.offensive-security.com/documentation/awae-syllabus.pdf

Am I ready for AWAE ?

Well, this question become increasingly asked by a lot of folks. For me I wasn't hesitant to sign up; however, to be honest no body will give you the right answer except you !! whether you have a 10 years’ experience in the industry or fresh graduate student like me . Here are the things that you may consider to have it before applying for AWAE. Otherwise that course will be heavy.

• You should be good with well-knowns web vulnerabilities (LFI,SQLI ..etc)
• Experience in black box testing would be helpful as a mindset.
• Being able to read and understand complex open source project written by either the following languages ( PHP , NodeJS , java , C# )
• A solid understanding of these topics inheritance, polymorphism ..etc ( OOB)
• Being able to focus for long periods of time on programming & writing exploit.
• Master one interpreter language to automate thing is plus ( Python , Ruby ..etc)

ENROLLING

You will be provided a materials and vpn file to access the labs. The materials divided by 2 parts. A pdf file and videos. The pdf document will explain everything in details. Exercises will be constantly at the end of each module as well as ExtraMile. Keep in mind, ExtraMiles are optional, but don't skip any of them.

EXAM !!

As always Offsec prepare something unbelievable. The good news is , if you understand the matrial and you did the exercises and extramiles, then don't worry the requirement to pass the exam met except to try harder , and never give up. The exam has 2 applications and each of them will ask you to bypass the authication and get RCE. so be prepared and ready !!. Here is my advices for who schedule the exam.

• It's better to give yourself break before the exam date and enjoy with your family.

• Don't apply black box testing on input ( it won't work ).

• Start confidently and challenge yourself to get the whole points , not only the ( pass requirements )

• If you spot the issue and it leads to complicated things stop!!!!! turn around!! (back later if you didn't find a unique issue)

• Debugging is the key! ( just remember that ) => ( print("reach line 24 :D , pass first condition :D bom!!"))

• Prepare your plan for authentication bypass , for instance (it could be login issue, access controller or session prediction , weak token ..etc ) , I recommended to use your own list and prepare it before the exam date.

• Don't read the instructions to much :D , they won't hide the answers between the words.

WRAP UP

Advanced Web Attack and Exploitation is rewarding course and recommended to anyone who wants to delve into web bug henting. Although the course deal with white box & code review, we may have the decompiled code or a source code by hands in some cases. In addition, it will guide you on a different technique to use it in vulnerability discovery as well as debugging. At the end , it will develop a exploit to chain multi vulnerability together and craft appropriate exploit to gain remote code execution.