Nytro Posted September 16, 2020 Report Posted September 16, 2020 OSWE/AWAE Preparation Jan 22, 2020 WebExploit Development Share on: updated Content AWAE1.5 OSWE Exam Preparation This post contains all trainings and tutorials that could be useful for offensive security’s OSWE certification. I will be updating the post during my lab and preparation for the exam. Course Syllabus: https://www.offensive-security.com/documentation/awae-syllabus.pdf Before registering for AWAE Lab: Get comfortable with python requests library Read Web Application Hacker’s handbook, again if you already did Get familiar with Burpsuite Get familiar with regex Get hands on with OWASP top 10 2017 Vulnerabilities Vulnerable Apps for practice on OWASP Portswigger WebSecAcademy Practice code review skills - OWASP SKF Before registering for the OSWE Exam: XSS to RCE AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting Chaining XSS, CSRF to achieve RCE Code analysis to gaining RCE Magento 2.3.1: Unauthenticated Stored XSS to RCE Mybb 18.20 From Stored XSS to RCE Bypassing File Upload Restrictions: [Paper] File Upload Restrictions Bypass Shell the web - Methods of a Ninja Unrestricted File Upload Atlassian Crowd Pre-auth RCE Popcorn machine from HackTheBox Vault machine from HackTheBox Authentication Bypass to RCE ATutor 2.2.1 Authentication Bypass ATutor LMS password_reminder TOCTOU Authentication Bypass ATutor 2.2.1 - Directory Traversal / Remote Code Execution Cubecart Admin Authentication Bypass Trendmicro smart protection bypass to RCE Password Reset Vulnerability Testing Password rest functionalities OWASP - Forgot Password Cheatsheet How we hacked multiple user accounts using weak reset tokens for passwords SQL Injection: RCE with SQL Injection - MSSQL SQL Injection to LFI to RCE - MySQL From SQLi to SHELL (I and II) - PentesterLab Pre-Auth Takeover of OXID eShops Blind SQL Injection [Paper] PostgreSQL Injection Having Fun With PostgreSQL Blind Postgresql Sql Injection Tutorial SQL Injection Cheat Sheet - PentestMonkey SQL Injection Cheat Sheet - PayloadAllTheThings Exploiting H2 SQL injection to RCE JavaScript Injection: Server Side JS Injection Remote Code Execution in math.js Arbitrary code execution in fast-redact NVIDIA GeForce Experience OS Command Injection - CVE-2019-5678 SetTimeout and SetInterval use eval therefore are evil Pentesting Node.js Application : Nodejs Application Security NodeJS remote debugging with vscode Escape NodeJS Sandboxes PHP Type Juggling: OWASP - PHPMagicTricks TypeJuggling PHP Type Juggling - Introduction Type Juggling, PHP Object Injection, SQLi Writing Exploits For PHP Type Juggling Type Juggling Authentication Bypass Vulnerability in CMS Made Simple PHP Magic Hashes Detailed Explanation of PHP Type Juggling Vulnerabilities [Video] PHP Type Juggling Vulnerabilities, Netsparker [Video] Falafel machine from HackTheBox Deserialization: Deserialization_Cheat_Sheet Insecure deserialization - PayloadAllthethings [Paper] Deserialization Vulnerability Serialization : A Big Threat JAVA Deserialization Understanding & practicing java deserialization exploits Understanding JAVA Deserialization Exploiting blind Java deserialization with Burp and Ysoserial Details on Oracle Web Logic Desrialization Analysis of Weblogic Deserialization [Video] Matthias Kaiser - Exploiting Deserialization Vulnerabilities in Java .NET Deserialization Use of Deserialization in .NET Framework Methods and Classes. Exploiting Deserialisation in ASP.NET via ViewState Remote Code Execution via Insecure Deserialization in Telerik UI [Video] Friday the 13th: JSON Attacks - BlackHat [Paper] Are you My Type? [Video] JSON Machine from HackTheBox - Ippsec PHP Object Injection/Deserialization What is PHP Object Injection phpBB 3.2.3: Phar Deserialization to RCE Exploiting PHP Desrialization Analysis of typo3 Deserialization Vulnerability Attack Surface of PHP Deserialization Vulnerability via Phar [Video] Intro to PHP Deserialization / Object Injection - Ippsec [Video] Advanced PHP Deserialization - Phar Files - Ippsec [Video] Exploiting PHP7 unserialize (33c3) NodeJS Deserialization Exploiting Node.js deserialization bug for Remote Code Execution The good, the bad and RCE on NodeJS applications Attacking Deserialization in JS Node.js Deserialization Attack – Detailed Tutorial [Video] Celestial machine from HackTheBox - Ippsec XML External Entity (XXE) Attack A Deep Dive into XXE Injection From XXE to RCE: Pwn2Win CTF 2018 Writeup Blind XXE to RCE Apache Flex BlazeDS XXE Vulnerabilty WebLogic EJBTaglibDescriptor XXE Server Side Template Injection (SSTI) [Portswigger Research] Server Side Template Injection [Video] SSTI : RCE For The Modern Web App - albinowax Server Side Template Injection Jinja2 template injection filter bypasses Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 Websocekts InSecurity Introduction to WebSockets [Video] Hacking with Websocket - BlackHat Remote Hardware takeover via Websocket Hijacking Cross-Site WebSocket Hijacking to full Session Compromise Source Code Audit Introduction to Code Review [PentesterLab] Static code analysis writeups TrendMicro - Secure Coding Dojo Bug Hunting with Static Code Analysis [Video] Shopify Remote Code Execution - Hackerone Finding vulnerabilities in source code ( APS.NET) A deep dive into ASP.NET Deserialization Writeups by mr_me Youtube Playlist Further References/Reviews From AWAE to OSWE the preperation guide - hansesecure OSWE Exam Review 2020 Notes gifts inside - 21y4d OSWE Cheat Sheet - V1s3r1on wetw0rk/AWAE-PREP https://codewhitesec.blogspot.com/ https://blog.ripstech.com/ https://rhinosecuritylabs.com Sursa: https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/ 2 Quote
mrod Posted April 30, 2023 Report Posted April 30, 2023 (edited) In conclusion, writing a whole paper https://sinfullythinn.com/how-to-write-a-paper-in-one-hour/ in only one hour is an extremely challenging task, but it is not impossible if the suitable strategy is used. You should begin by organizing your calendar, deciding on a topic, doing some short research, brainstorming some ideas for an outline, plowing through the writing process, and finally editing, formatting, and proofreading your work. If you follow these pointers, you should be able to finish a quality research report in under an hour. Edited May 1, 2023 by mrod Quote
Nytro Posted April 30, 2023 Author Report Posted April 30, 2023 Learn everything from the course! It should be enough is some other skills are present (e.g. code review). Quote