Skip to main content
  1. Posts/

Offensive Security Web Assessor

Let me start by saying that I passed the OSWA exam in August in 2024. I meant to write this up right away, but simply never got around to it, so being 6 months later, I’m writing mostly from memory, while of course checking my notes where needed.

Introduction #

With that out of the way, lets get into it. The Offensive Security Web Assessor is a certification by OffSec that tests your ability to identify common vulnerabilities in web applications. I found the learning material provided by OffSec to be adequate. It wasn’t phenomenal, but it did cover everything needed to pass the exam. However, I want to point out that OSWA wasn’t my first exposure to web application hacking, having been through the OSCP and PNPT (TCM Security) learning material prior to this. While those exams focus more on Active Directory and host-based attacks, they do incorporate some web hacking elements. If OWSA is your first foray into web hacking, your experience may vary.

The learning material covers the following vulnerabilities, any of which may be found on the exam:

  • Cross Site Scripting
  • SQL Injection
  • XML External Entities
  • Directory Traversal
  • Server Side Template Injection
  • Command Injection
  • Insecure Direct Object Referencing

Exam Format #

For this exam, you are allotted 24 hours to perform hacking on the targets and another 24 hours to write your report and submit it via the exam portal.

The exam environment contains five standalone machines, each containing a ’local’ (low level) flag and a ‘proof’ (root level) flag. “Standalone” means that none of the machines rely on each other for completion, however you may see the same type of vulnerabilities on multiple machines. In simple terms, you won’t need to solve machine one in order to solve machine two, etc.

Local Flag (Initial Foothold) #

In order to reach the local flag, you need to bypass authentication in order to reach an area of the web application that would normally be inaccessible to regular users. Once reaching this section of the site, the flag is plainly viewed on the page. There wasn’t any “access the admin portal and then poke around even more to find the local flag inside of a some comment thread.” Once you bypassed the authentication, it was very obvious what the flag was.

Proof Flag (RCE) #

Once reaching the restricted section of the site, the next goal is to achieve remote code execution on the server hosting the web application. Unlike other exams such as the OSCP, you don’t need to perform any perform privilege escalation in order to retrieve the flag; simply being able to run code is enough to read the proof.txt file that contains the flag. It should be noted that while you may be able to create a reverse shell back to your attacker machine, this isn’t always mandatory if you can otherwise run code and have the output displayed within the UI of the web application.

My Tips and Suggestions #

  • Enumerate, Enumerate Enumerate - Explore every path. Fuzz for directories, click on (and read) every page, look at query parameters in the url and manually review the requests and responses in a tool like Burpsuite for any data that might be included but not shown directly in the UI.
  • Think about how functionality works on the backend - For example, if you’re looking at a search box, think about the functions that would make the search work and how you could abuse that functionality. The same goes for login pages, file uploads, etc.
  • Use context clues - Read through the site in detail. Is there anything said on the site that could allude to hidden functionality or actions taken by the site’s users? Is there any information that could aid you in building lists for fuzzing or other attacks?
  • Follow your hunches - While you of course shouldn’t dismiss other vulnerabilities entirely, the vulnerabilities for the most part are quite obvious so follow your gut. If “This feels like cross-site scripting” pops into your head, there’s probably something there, so even if your first attempt fails, don’t give up and instead see what you can tweak to make it work.
  • Take breaks - You should be taking a short break every hour or two. Step away from your desk, stretch, grab a water, etc. This is equally true when you’re feeling stuck. Maybe take a longer break and have a meal, or do something that takes your mind away from the exam completely. For me, doing this helped me to come back with fresh thoughts and ideas to try.
  • Plan your day accordingly - Plan your exam for a time that makes sense for you and your routine. I am not a morning person. I know I don’t work well at 7am, so I started my exam at 11am. This allowed me to sleep in a bit, get up and have breakfast, and then gave me all afternoon and into the evening to work on the exam. If I remember correctly, on my first attempt I called it a night at around 2am then got up the next morning to wrap up. My second (passing) attempt, I again started mid-morning, but wrapped up and submitted my report that evening.
  • Take notes as you work - When it comes time to write your exam report, you’re expected to include screenshots as well as a detailed description. It’s much easier to write the report if you already have your notes compiled and screenshots ready. Remember that after the 24-hour exam window ends, you can’t get any more screenshots. I found what worked best for me was to write down and screen grab every thing I did as I did it. If an attack didn’t work, I crossed out that section of the notes. This way I didn’t lose a record of what I did, but it was very clear as I was writing my report what the successful path looked like.
  • Know that it’s okay to fail - I failed my first attempt with 60 points and that’s okay. It was actually later in the week that I was just sitting around, and had a sudden realization about where I went wrong. I rescheduled my exam for the next available time slot, I started the exam and got the required 70 points within the first few hours. I then used the rest of my time to hunt for the remaining 30 points, turning in my report that evening and received the passing notification about a week later.

Wrap Up #

Overall, I did really enjoy the learning material for this certification. The exam was challenging but not outrageous, and I’m really glad I did it. That being said, it is expensive! I’m thankful my company paid for my subscription, as I’m not sure I would have paid for it on my own.

Its also important to keep in mind that there are several other similar offerings on the market now, too. HackTheBox has the Certified Bug Hunter, which does cover much of the same topics. I have actually been through quite a bit of the material for it and I really like it! It’s content is very text heavy though, so if you’re someone who enjoys videos, HTB might not work well. TCM Security also has the Practical Web Pentest Associate certification, which is their more junior level certification. I don’t have experience with that one specifically, but I did enjoy the learning material and exam for their Practical Network Penetration Tester certification. Both offerings by HackTheBox and TCM Security are significantly cheaper than OSWA, though OSWA likely still holds more weight during the hiring process if you are looking to become a web app penetration tester.

Lastly, I appreciate you sticking around and reading this write up! I intentionally didn’t get too detailed in order to avoid spoilers, but I still wanted to provide at least a brief overview of my experience with the certification.

I also plan to do write-ups on PNPT and TCM Security’s IoT hacking certification, the Practical IoT Pentest Associate, so stay tuned for those!