OSWE: Joy and Disappointment

Tram Ho

At first, I didn’t plan to enroll in OSWE because I just got OSCP and there’s a lot more work. However, an unexpected incident happened, so that night I don’t understand why I woke up at 12 o’clock at night to register for OSWE and so I flew $ 1649 because of an impulsive minute. The next morning, I found myself self-destructing but if I missed it, I had to study again => the 2-month try hard journey began.

What is OSWE?


Advanced Web Attacks and Exploitation (WEB-300) is a whitebox web application security course and also my wish at the time of registration. This is an advanced course as it requires some prior knowledge such as

  • Ability to write and read code.
  • Understand the types of web attacks.
  • Proficient use of web proxies such as Burp.

After studying, I see some advantages and disadvantages of the course

  • Advantages:
    • Provides learners with a comprehensive view as well as a clear understanding of each type of vulnerability mentioned.
    • Extra Miles exercises help test the knowledge conveyed in each module.
    • The video tutorial is quite detailed and easy to understand.
  • Defect:
    • Labs are quite few, unlike OSCP, which is full of mouths
    • Not to mention new bugs like Broken Auth, OAuth 2.0, …


To get the certificate you will have to pass an exam that includes the source code of 2 web apps and have 48 hours of despair to get at least 85/100 and …


The journey to get the certificate


In the learning process, although I was guided by the whitebox approach, I always started to try with the blackbox because most of my daily work would have to approach this direction. My goal is to try to find errors with blackbox with all the modules learned, although I did not achieve the set goal, but I am quite satisfied with the lessons I have done with the blackbox.

I use Notion to record the highlights of that module such as: the flow code leading to the vulnerability, why the vulnerability occurs, my thoughts on the vectors, the payload used, …


It took me about 2 months (most of the time I used it for blackboxing) to complete all the guided modules and extra miles, followed by doing the last 3 lessons without instructions to test my knowledge. learning as well as increasing self-confidence. After 2 days, I finished all 3 lessons and at that time I felt “feel a godlike” so I went to register for the exam day. Initially, I chose to take the exam on December 5, but after 1 day, I hated this feeling of waiting, so I changed it to November 18.


Somehow, both times when I took the OSCP and OSWE exams, I got into the forms I really hate, BOF and Client-side Attack, not because it’s difficult, but because it takes a lot of time to exploit. The first lesson took me about 2 hours to find the bypass auth vector, there are quite a lot of rabbit holes if you don’t realize it soon it will be very time consuming. Once you bypass the auth, RCE it is only a matter of time and the price I have to pay here is only 2 hours. So after 4 hours I got 50 points and just need to find the bypass auth vector in lesson 2 is enough points. After reading the description of the article, I thought I would meet Client-side Attack again, because I knew the bypass auth vector, I found the vector soon after about 1 hour. Vector RCE lesson 2 I found not long after, but it was quite time-consuming to exploit, so I stubbornly did not follow that direction but found another direction that took less time and results and I wasted time x2 for RCE job. So after about 15 hours of trying hard, I got 100 points, so far I’m quite happy, so I would like to take a break to go back and prepare for the hardest part, which is to write POC and report. Writing a report costs me somewhere about 10 hours, just sitting down to write it and then deleting it, I feel that writing a report is even more difficult than taking the exam because it brings a terrible boring feeling!


After passing OSWE, I feel quite happy because in the process of studying, I have gained a lot of new knowledge, approach to problems and mindset try harder . However, I still feel a bit disappointed because I expected the exam to bring more challenges for me and then be happy to overcome difficult challenges.

Share the news now

Source : Viblo