OSWE Exam review “2020” + Notes & Gifts inside!

Thanks for this excellent information! Nowhere near that level of knowledge yet but it was interesting to read nonetheless. One small note: you might want put a small spoiler warning before the “Exam Preparation Plan” since you’re disclosing the attack vectors for some of the machines.

@GPLO said:
Thanks for this excellent information! Nowhere near that level of knowledge yet but it was interesting to read nonetheless. One small note: you might want put a small spoiler warning before the “Exam Preparation Plan” since you’re disclosing the attack vectors for some of the machines.

Thanks… actually, unlike OSCP, in OSWE the course is a walkthrough of the solutions of each machine. So this is basically the course content.

Thank you for the detailed description and congratulations! How can I imagine a proctored exam in 48 hours? Do they follow my activity through a camera?

@bumika said:
Thank you for the detailed description and congratulations! How can I imagine a proctored exam in 48 hours? Do they follow my activity through a camera?

It is very similar to OSCP, if you’ve taken that. Basically they watch you through webcam and view your screen, to ensure that you are the one doing the work, and not someone else. It goes on for the whole 48 hours.

I took OSCP in the pre-proctored era. I hope sleeping is not a subject of visibility. :slight_smile:

How long did you wait for results after the exam?

@bumika
Well, you can take short/long breaks. I didn’t go through proctoring since I covered it in my OSCP review.

@martin59
Around 5 days.

I have both Sec+ and CISSP. I would say skip the Sec+ and go for CISSP. CISSP has everything Sec+ has and more. CISSP is a beast in its own right, you have to learn the rules in ISC2’s reality. Think like a high level boss in terms of how to defend everything, including stupid employees who write their password on a notepad and leave it on the subway. Even if you stay as a pen tester for life, CISSP helps you see the big picture so you never have to ask why am I doing this, or who does this affect?

@squirrelpizza said:
I have both Sec+ and CISSP. I would say skip the Sec+ and go for CISSP. CISSP has everything Sec+ has and more. CISSP is a beast in its own right, you have to learn the rules in ISC2’s reality. Think like a high level boss in terms of how to defend everything, including stupid employees who write their password on a notepad and leave it on the subway. Even if you stay as a pen tester for life, CISSP helps you see the big picture so you never have to ask why am I doing this, or who does this affect?

Thanks for the feedback… check dm…

Congrats! Great work.

Congrats! I’m going to be taking this one in a couple of weeks.

First of all congratulations!

As a fellow OSWE holder I disagree with your assessment that the course doesn’t cover vulnerability discovery enough, I actually found it was quite good.

They give you all the tools needed to find vulnerabilities and the extra miles are really good at making you go through things and create your own methodology for vulnerability discovery.

I also don’t think the course should dive into blackbox testing, it’s meant to be a whitebox testing course.

I do agree that the course could use more extra miles and a tweak to a certain one…

More languages is probably not needed since it covers the more common languages for web development, but more challenges would be nice.

Just my opinions to offer some counter points :smiley:

Hope to have a go at your box when it’s out!!!

At least there is no XXE now (I guess I’ve seen it in previous AWAE public pdfs)

Some boxes to practice with

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

Type your comment> @21y4d said:

@s0j0hn said:
Some boxes to practice with
NetSecFocus Trophy Room - Google Drive

These boxes are for OSCP, not OSWE.
You may mention them in my OSCP review.

There is a tab for OSWE at the top

@s0j0hn said:
Type your comment> @21y4d said:

(Quote)
There is a tab for OSWE at the top

Oh, I see… Yeah, some of them are the same boxes mentioned above.

I must mention that they contain parts that might be useful for OSWE, but unfortunately I couldn’t find any with whitebox testing vectors.

Hopefully sourceCode will be dedicated for this area, once it goes live.

Thanks for sharing

Thanks for this detailed review. I am rather interested in this exam, since it would be a good fit for my day job as a developer. Do you think/know if OSCP is required for this exam?

@dnperfors said:
Thanks for this detailed review. I am rather interested in this exam, since it would be a good fit for my day job as a developer. Do you think/know if OSCP is required for this exam?

You can definitely go directly to OSWE, since there are no prerequisite to this course. I think it would also be good for you, since OSWE is also aimed towards developers.

However, I must note that OSWE is an advanced course, so you must have good knowledge in web exploitation. If you do take and pass OSCP, and then complete the areas I mentioned in the study plan above, then you are good to go.

Thanks, I already planned to look at several boxes, including the ones mentioned in the link. After studying those, I can always decide whether or not I am confident enough to start…