Overview

I was very excited when I found out about AWAE - Advanced Web Attacks And Exploitation Training. If this was to be in line with the other Offsec courses, it had to be well worth doing it. And I wasn’t dissappointed. The course is well structured and goes way beyond classic vulnerabilities examples. The best things, in my opinion, about this course are that:

• Each chapter is a scenario that chains together multiple vulnerabilities, starting from web to RCE
• Each chapter has exercises and solutions but also Extra Mile challenges that force you to go on your own and find solutions.
• There are many topics covered, mostly around vulnerabilities that can be found via code review: a lot of application logic flaws, XSS, XSRF, blind SQLi and interesting authentication bypasses.
• They force you to become good with (or at least understand and be able to craft some code) in many programming languages: Perl, Python, Java, JavaScript, C#.

Time-wise, I took the 3 months package but I ended using only about 2 months. If you work consistently on it, it can definitely be done quicker.

All the posts I’ve read recommended doing the Extra Mile exercises and I agree with this. In my case I’ve done them as they appear in the book, instead of at the end of the course. I would definitely recommend this. Psychologically this has the advantage of giving you the satisfaction that you’ve finished the chapter fully and will give you confidence to approach the next ones.

Study

Depending on experience, the amount of study needed before or during the training will vary. There’s no point here to provide an exact number of hours of study and resources. What’s important is to approach it methodically, realise what you know and what you don’t and don’t run away from any topics.

Since this is mostly about coding vulnerabilities, I found the following code analysis challenges very interesting:

• PHP SECURITY CALENDAR 2017
• WORDPRESS SECURITY CALENDAR 2018
• JAVA SECURITY CALENDAR 2019

There are many resources recommended throughout the course so make sure to check them out!

Exam

The exam is not easy and requires a bit of concentration and a good understanding of the techniques used in the lab. I would say there are no tricky challenges to solve but the exam is slightly more difficult than the lab. In my case I had some serious problems with the internet connection on the first day. Because the exam is proctored, I had to restart the camera monitoring software almost 150 times. That was very very frustrating. I had a plan for the second day but luckily my connection got back to normal and didn’t have to implement the contingency plan. I learnt some things from this:

• Don’t loose hope and panic. If something doesn’t work keep hammering at it until you find another path!
• Avoid rabbit holes and don’t chase endlessly the same issue.
• Get enough sleep, food and oxygen during the exam. My exam started on Friday morning and I had a run outside on the first and last day.
• Try harder!

Overall, I learned a lot while doing the training and the exam. The course is stimulating and very interesting. In the end you get out what you put in.

Looking forward for AWE to be made available in the UK!