Advanced Web Attacks and exploitation (WEB-300) is an advanced web application security course that teaches the skills needed to conduct white box web app penetration tests. Learners who complete the course and pass the exam earn the Offensive Security Web Expert (OSWE) certification and will demonstrate mastery in exploiting front-facing web apps.

After going through many certification exams I started contemplating on my next goals and which certifications would be worth the effort at that point. To be honest, the Web Expert was the one that I had the least interest in considering the whole expert-level basket. However, as I’ve been dealing with Web apps almost everyday for the last couple years, I figured this should be the closest and therefore easier to me.

WEB-300: Advanced Web Attacks and Exploitation (AWAE)

The course syllabus consists of several study cases on CVEs registered for Open-Source solutions, where some of them were discovered by Offensive Security themselves. I personally liked the materials, in some topics they go deeper than the expected, the exercises and extra miles would usually challenge me on doing things that I’m not used to.

There are three challenge applications in the labs, where 2 of them are white-box as they provide you with a developer machine containing the source-code and a few tools. It may not seem like much, compared to other exams that have 5+ challenges, but the applications are reasonably big, there are different ways to approach and compromise them and I even found myself falling into rabbit holes.

Now this being an expert-level course, it assumes that you already have pro-level knowledge, so it won’t be covering basics and fundamentals. If you’re a beginner, it might be better to do OSWA first.

If you feel like you need some pre-prepping:

  1. Familiarise yourself with PHP, Java and C#.
  2. Take a look at the most popular frameworks: Laravel for PHP, Spring for Java and such.
  3. Model View Controller: learn how to interpret routes, the concept of sources/sinks and how to follow and understand the information flow at code level.
  4. Take a look at how code review works and have some practice.


Although I’ve been working with Web for a while, the assessments are usually black-box, so I didn’t had much practice with code review and even automating the exploitation process before enrolling.

My preparation consisted of going through the course and taking lots of notes – payloads, code snippets, small details that could be missed and a few checklists for me not to forget things.

I also developed a “one-click” exploit for each chain, the same goes for the two white-box challenge applications. I would strongly recommend that you do the same, as writing the exploits is one of the exam requirements and, unless you’re used to it, you may struggle with some things.

Web Expert Exam

This one follows the same pattern as other exams, with a few restrictions, proctoring, technical requirements, report requirements and time allocation.

One thing you may notice is that the exam guide does not describe the point allocation and how many applications are in the exam environment. I even e-mailed them to see if I could get more details from somewhere, but their response was that all information available is in the guide, and anything besides it cannot be discussed.

I started my exam on a saturday night, and got the passing score around lunch time the next day. I actually almost ended up failing because of a CTRL+Z in one exploit (please avoid being dumb like me and backup your exploits…), which cost me hours to rewrite while I was also pursuing another thing at the same time (also had a heart attack). I managed to finish the exam with around 1h left, concluding 100% of the technical objectives and requirements. Spent the last minutes revising my report yet again and making sure everything was in place.

Closing Thoughts

My experience with the exam was great, it was challenging and a great learning opportunity. This actually fired me up to keep pushing through the other expert-level exams (after resting for a couple months), overall I would definitely recommend it.

My final recommendations would be:

  1. Go through the course and take your notes. Do the exercises and extra-miles if you feel you need them.
  2. Understand how to identify the vulnerabilities within the code itself. From my experience, you won’t be able to identify and/or exploit most of them only with dynamic analysis.
  3. Write exploits and helper scripts for each vulnerability and exploitation chain.
  4. The challenge apps are a must do.
  5. If you want any extra practice, take a look at TUDO and SecureCode1.
  6. PentesterLab’s Code Review badge is another good resource.

References and Further Reading


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *