OSWE opinions

securityorc

Now that OSWE has been released as an online course like OSCP and the rest, it's making me ponder whether to for it before OSCP. I was curious if anyone here took it and can share some thoughts in terms of its difficulty and prerequisites. I'm currently dealing on the appsec side, so the web course seems just the right move for the present situation. I plan to prepare by subscribing to PentesterLab first.

I've got to finish a couple other certs that I've been working on before starting either way, but I'm really hyped about it! Happy to hear some more thoughts on this.

xXxKrisxXx

Some of Offensive Security's alumni had the opportunity to get access to the courseware a few weeks before they ended up releasing it to the public. Having taken and passed PWB back in the day, and having been waiting for this course since 2012, l couldn't help but sign-up. 

l got access to the course content a couple weeks back and watched the videos content for it within a couple days. l'm personally very impressed by the content. l managed to land the eWPT back in 2014, and even if l'm rusty now days - l was still blown away by what they show off in AWAE. l even have access to the eWPTX material and it blows it out of the water. 

The course shows off how powerful scripting is when pulling off these attacks. lt's all way more than just knowing how to use Burp Suite in the course. The scripts and payloads these guys come up with accomplishing these attacks will leave you going back and re-watching the video content again and again. l need to go back a second time and easily a 3rd time through to wrap my head around it. 30 days in my opinion is do-able lab time wise. l opted in for 30 but being 2 weeks in and having only connected to the Labs once because l've been busy means l'm just going to need to buy more time. 

They're not playing around with their pre-requisites to the course. A developer background will help you out. You're taken through various platform scenarios (Java,Javascript (Node), C#, PHP, etc) (see their syllabus) and most of the course material approaches attacking it from a White Box perspective. lt's really amazing seeing these guys being able to sift through and examine source code, explain how it's vulnerable and flat out demonstrate exploitation of it in front of your eyes. They take it way beyond popping up cute xss alert boxes and combine/chain multiple attack vectors to gain remote code execution. 

I work as a Senior Software Engineer and l was left with goosebumps seeing them show other people's source code and being able to point out, "Well they did a good job here at sanitization - but we're just going to take advantage of where it was overlooked in this place." Glad they got this one online - but l'm honestly a little in fear of what the exam is going to entail. 

xXxKrisxXx

Barely realizing right now l should have answered on whether you should go for OSWE before you do the OSCP. Not at all. PWK and the Lab Environment with your time spent in it researching and attacking machines is going to get you ready for the OSCP Challenge. You're not going to need as deep of an understanding of Web Application Attacks that AWAE provides for your time in PWK. Sure the course goes over the basics - and sure you'll run into web applications you'll get to attack in the lab environment, but thinking you need to have your hands on the OSWE to go into OSCP isn't necessary. Web Application attacks are just a % of what PWK covers. lf anything, prior to seeing AWAE released online, l've seen OSCP's trying to get a deeper and firmer grasping on Web App Attacks by going for courses like SEC542 or eLearnSecurity's Web App Attacks course. l recommend doing the OSCP first and then going for the OSWE. Anytime l see folks saying they want to do pentester lab first to prepare for the OSCP, l don't have any objections. At the sometime though, l don't find it necessary as you're given quite the amount of boxes in the PWK Labs - so simply make use of the lab time you paid for and you'll be fine. 

securityorc

Thank you for the detailed description! Now I'm even more determined to go for it before the OSCP. Just to clarify, when I mentioned PentesterLab, it was as preparation for OSWE (and general web-fu skill level up). For OSCP, I've been doing Vulnhub machines and watching all Ippsec's videos. I don't think I'll be able to fit more than 1 Offensive Security cert this year, but at this point I am really leaning towards going for the OSWE first.

chrisone

I am definitely going to look at this cert and course sometime next year in 2020 for sure! I would not do OSWE before OSCP. 

MrAgent

I'm signed up for the AWAE. I start Saturday. From what I understand, its A LOT of code review. Python and JS. I'm excited to get into this and learn.

securitychops

Thanks for the breakdown @xXxKrisxXx ... looks like I will add this one to my todo list for early 2020!  So many certs and so little time! 

SeyramKwame

I have been waiting for this course to be made available. I will definitely add it to my To Do list before year end 2019.

LonerVamp

securityorc said:

Thank you for the detailed description! Now I'm even more determined to go for it before the OSCP. Just to clarify, when I mentioned PentesterLab, it was as preparation for OSWE (and general web-fu skill level up). For OSCP, I've been doing Vulnhub machines and watching all Ippsec's videos. I don't think I'll be able to fit more than 1 Offensive Security cert this year, but at this point I am really leaning towards going for the OSWE first.

Maybe we read the response in different ways, but the general expectation would be to do OSCP first, before OSWE.