Oswe Review
I’m OSWE Certified – My Thoughts and Prep Journey
Absolutely chuffed to say I’m now officially Offensive Security Web Expert (OSWE) certified—and managed to pass on my first attempt! 🎉
The AWAE course (Advanced Web Attacks and Exploitation) is a deep dive into code review and web exploitation techniques, where you’re expected to craft scripts that perform automated, full-chain exploitation of vulnerable applications. It’s intense, but incredibly rewarding.
Preparation
My pre-exam prep focused heavily on the challenge labs—specifically the ones labeled with “Application” at the end. These are gold. Not only do they mirror the exam’s structure, but they also force you to write actual exploit chains. If you’re someone (like me) who didn’t do much scripting for the modules themselves, these labs will get you there.
One of the best decisions I made was to create boilerplate scripts based on these labs. Having templates ready meant I could quickly adapt and reuse logic during the exam, conserving precious mental energy. I will probably be uploading these scripts along with my Obsidian note templates to GitHub but I would recommend creating your own since everyone works differently.
While I didn’t write exploits for every module, I did follow along with all the discovery and exploitation steps and took solid notes on anything unfamiliar or interesting. This definitely paid off later during the exam.
Debugging is a Skill – Not a Side Quest
One of the biggest lessons for me: get comfortable with debugging. Whether it’s VS Code, a remote debugger, or Burpsuite tools—know your toolkit. I ran into a few issues during the challenge labs and learned how to fix them, which turned out to be a time saver on the big day.
If you’re prepping, build a debugging cheat sheet or a mental flowchart. You’ll thank yourself when your payload mysteriously stops working and you’re staring at logs trying to figure out why.
I’ve linked more prep advice and helpful resources in the Tips and Resources section below.
The Big Day
I kicked off my exam at 10 AM and landed a shell on the first machine within 12 hours—exploit and all. I spent a bit of time after that just cleaning up my screenshots and labelling everything properly. I always take more screenshots than I need, but it helps me feel covered.
Feeling confident, I moved to the second machine. Within two hours I had the vuln and access to the admin panel. That’s when I got cocky and went exploring side paths instead of staying on track. Classic.
I spent most of the second day chasing rabbit holes. Even though I knew the stuff I was poking at probably wasn’t exploitable, I kept trying because… well, curiosity. Eventually I circled back to the real vuln, confirmed it, and started working on the exploit. But by then, time was running short.
The bug itself wasn’t hard, but I hadn’t set up proper logging or debugging for that specific spot, so I burned hours on red herrings. Turns out my exploit was half-working the whole time—it just needed a couple of tweaks.
Takeaway?
Don’t wait till the end to enable logging or inspect app behavior. The exam rewards smart observation, not brute force. Also, leave the fun side quests until you’ve got your core objectives done.
I passed, but I would’ve loved to walk out with the full 100 points.
Tips and Resources
I have some general tips for preparation with quite a few resources linked down below. The list is long, but is not meant to be “essential”, a lot of labs and videos I have linked are good resources that will be valuable if you need help in a specific area, but don’t feel like you have to do them all.
Preparation
Here is what I would consider as essential prep before taking the exam:
| Tool/Technique | Resource |
|---|---|
| Debugging | Course Modules Challenge Labs Resource Links Helpful Videos |
| Decompiling | Course Modules cover this topic well enough, but there are several videos out there of people decompiling source code for CTFs, etc. Challenge Labs Resources in Resource Links Helpful Videos |
| Source Code Review | Course Modules Challenge Labs Resources in Resource Links Helpful Videos |
| Web Application vulnerabilities | Course Modules Challenge Labs Portswigger Labs apprentice/practitioner (I have provided links Resource Links Portswigger Academy for the ones I think have good value, not just for OSWE but in general) |
| Exploit Writing | Course Modules have a few examples of exploits etc which I would suggest copying and improving Resource Links |
Conclusion
If you’re tackling the OSWE, remember: this is a code review-heavy exam. There will be rabbit holes. Your best defense is disciplined enumeration and a solid process. Save your deep dives for after you’ve proven the exploit path.
Note-taking is a big deal. I used templates in Obsidian during the exam to keep my findings organized—it helped me avoid getting lost (except when I chose to go exploring 😛). I will probably share it on my GitHub, but highly recommend your own.
All the Resources
Resource Links Portswigger Academy
I know that the list seems a bit long, but the intention of this list is to be comprehensive with the techniques that will be helpful for overall web methodology, not just for the OSWE course. I don’t even think you need to solve all of these, because just reading the walkthroughs is good enough as a resource.
- SQL Injection
- I would say all of the labs in the SQL Injection section are valuable because the main idea is to understand how they work and how you can exploit them.
- If you want a smaller list, then these are the ones I would 100% recommend:
- https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
- https://portswigger.net/web-security/sql-injection/lab-login-bypass
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
- https://portswigger.net/web-security/sql-injection/blind/lab-time-delays
- Cross Site Scripting
- With XSS payloads things can get quite complicated, but the ones I’d recommend doing are:
- All Apprentice Labs
- https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-stored
- https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-reflected
- https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages
- With XSS payloads things can get quite complicated, but the ones I’d recommend doing are:
- CSRF
- XXE/Deserialization/SSTI/File Upload
- All of Apprentice and Practitioner Labs
- Path Traversals
- Prototype Pollution
- MISC
Feel free to skip these if you are comfortable with the techniques, but most of them will take minutes to solve and can be speed run quickly.
Resource Links Helpful Videos
These are not strictly for web app vulnerabilities, but general methodology when you are decompiling/performing source code review:
- Ippsec
- Noter Beyond Root - I really like this video because its short and a good way to figure out why your payloads fail
- Automating Boolean SQL Injection and Evading Filters - Highly recommended to watch
- https://youtu.be/rfYVkpArtgU?t=1642 (Don’t have to watch the full video, just 10 mins or so of the timestamped)
- Intro to PHP Deserialization - Good for general deserialization understanding
- Advanced PHP Deserialization - Phar Files - Can be skipped but its a cool video on PHP Phar Deserialization
- John Hammond
- Sec Aura
- OSWE “Build and Break it” Guide - Really good resource
Resource Links Cheatsheets and Repositories
There are quite a few good OSWE prep related repositories out there, and I would recommend at least looking at some of these to get an idea of how others have gone about it too:
- https://github.com/snoopysecurity/OSWE-Prep
- https://github.com/wetw0rk/AWAE-PREP
- https://www.schellman.com/blog/cybersecurity/oswe-review-and-exam-guide
There are a lot more resources out there which you can find with your own research and use based on your own needs.