How I Studied For The OSWE
Today, I'm bringing you a mostly unscripted, chill review of my journey through the OSWE (Offensive Security Web Expert) certification. No need to strap in, because this will not be a long one - I'm just rolling off the dome, sharing my experiences and thoughts, both pre and post-exam.
Is The OSWE Worth It? Whatever "It" May Mean...
Let's kick things off with a bit of business lingo - opportunity cost
. Yep, that thing from high school business studies. It's not just about missed profits; it's about time too. Why is this relevant? Because the OSWE is a time-eater. I'm talking about a solid 9-10 months of deep diving, starting lightly in November 2022, hitting it hard in January, and just living in that space until the time of completion which is September 2023.
Opportunity Cost: The lost of potential gain from other alternatives when one alternative is chosen
And let me be real with you - I failed the first time around. But hey, if that's a bit of motivation for you, then great! When I did pass, the excitement was...meh. I couldn't help but think about all the things I could've done in those 10 months. Could've dived into bug bounties, cranked out more YouTube content, got deeper into work-related studies, maybe even lab building (which I always say I'm passionate about but never actually do, you know?).
So, the big question - was it worth it? I'd say yes for the mental challenge and the learnings, but it's a personal call. Some folks grind on certs for years without quitting. The OSWE's worth? That's for you to decide.
The Course Breakdown
Now, let's talk about the course itself. It's structured into modules, each with its lab or machine - think case studies. The Highs and Lows
Some modules? They're a blast – engaging, well-structured, and you're hooked from start to finish. But then, you hit others that are complete spaghetti. They make zero sense, leaving you wondering about their relevance to the whole program. It's a wild ride from being fully engaged to utterly baffled.
Take the .NET deserialization module, for example – an absolute beast. I watched it twice and still didn't get it each time. My brain just couldn't wrap around the complexities of the vulnerability because they left out so much detail.
Course or Just a Collection of Case Studies?
Here's the thing – can we even call this a course? It feels more like a compilation of write-ups on various vulnerabilities, some dating back to 2012. It's like OffSec did case studies on these vulnerabilities, documented them "in-depth", and just threw them together in a list, slapped a $1,600 price tag on it, and called it a course.
I see people on LinkedIn celebrating their passes, claiming it's a great course. But honestly, from my experience, it doesn't feel worth the price tag. It's nothing like the OSCP or the Web 200, which I found neat and well-structured. This one? It's advanced, demands a lot of self-research, and expects you to know a lot already, but that is expected of an "expert" level course, right?
Not all is lost, though. The module on server-side template injection, particularly with an application built in Python, was fantastic. It was exciting, easy enough (maybe because it's Python), and a breath of fresh air compared to the .NET and C# stuff.
Study Tips
This brings us to studying for the OSWE. It's dense. You need to figure out your learning style and stick with it. For me, it was taking notes on my iPad because I like writing things down and then transferring them to Notion to make a proper cheat sheet I can copy and paste from.
1. Develop a Study Plan
- Allocate Time Wisely: Given the course’s density, plan your study time. Set aside dedicated hours each day or week for study. Don't fool yourself into thinking you can do a 20-30 minute study session and make any progress. Give yourself at least an hour for each time you want to look at the course material
2. Deep Dive into Each Topic
Understand, Don’t Memorize: Focus on understanding concepts rather than memorizing them. The OSWE tests your ability to apply knowledge, not just recall it.
Research Beyond the Course Material: The course provides a foundation, but real understanding comes from exploring topics in-depth. They always provide links to documentation, talks, and other things at the end of certain sections. Read those!
3. Emphasize Weak Areas
Identify Weak Spots: Be honest with yourself about areas where you’re struggling. Spend extra time reinforcing these topics. For me, this was the .Net and prototype pollution modules.
Seek Help for Challenges: If you're stuck, don’t hesitate to seek help from mentors, discord communities, or official forums.
4. Effective Note-Taking
Organized Notes: Keep your notes organized. Use digital tools like Notion or OneNote for easy searching and referencing.
Mind Maps: Create mind maps to connect different concepts and visualize how they interlink.
External Resources
If you're looking for extra material, hit up HTB, especially if you have limited lab time like the 90 days lab access. The TJ Null list would obviously be the starting point for this.
If you've got cash to burn, consider the OSWA (Offensive Security Web Analyst) as a precursor to the OSWE. It's very well structured and teaches you a lot of the blackbox aspects of testing that the OSWE also requires. I had the Learn Unlimited
so I had the privilege of going through some of the material.
And don't overlook PortSwigger's free labs - they're gold as usual.
The Art of Scripting
And now, one of the things that most people struggle with - scripting. It's a colossal part of the exam. Imagine you find the vulnerabilities you need to find and fail at automating the exploitation. Shame!
You've got to automate everything you do, from initial access to final exploitation. Offsec itself gives you clarity about what exactly they expect the script to do in case you don't understand what I mean by final exploitation. So, sharpen those scripting skills, be it in Python, Ruby, JavaScript, Go, or even Bash if you're feeling fancy.
For each lab you decide to do outside of the OSWE labs, automate your exploits from start to finish.
Your script should be able to do everything for you without you touching the keyboard whether it be fetching API keys or credentials, logging in on a user's behalf, you name it.
Here is a repository that helped a lot with searching for specific things when I needed them.
Wrapping It Up
In conclusion, I'm glad I'm done with the OSWE. It was a long journey, and I'm proud of the achievement, but it's time to move on to new things. And hey, to all of you embarking on this journey, study hard, and remember - failure is just a part of the process. You got this!
And remember, if you need help, I'm here – as long as it doesn't violate OffSec's TOS, of course.
Stay strong, stay smart, stay better. And hey, maybe failing the OSWE was just my way of staying humble. Imagine if I'd aced it in one go just a year after completing the OSCP in one go as well - my head wouldn't fit through the door!
Subscribe to my newsletter
Read articles from Tadi directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Tadi
Tadi
Just another security guy documenting his journey