OSWA

Work in Progress

Offensive Security Web Assessor (OSWA) WEB-200 Resources

This is not meant to be a comprehensive list or resource for the OSWA exam but instead reflects what I found to be useful during my journey with the course and exam or what I would recommend that someone new to web app penetration testing use as additional resources. You can read my write-up about my experience here (TBD).

Scripts

• Python HTTP Server w/CORS Headers - CORServer.py by G0LDEN

Examples

This folder will contain tool examples and payload examples for discovery.

• XSS Examples
• CSRF Examples
• SQLMap Examples

Tool Recommendations

• Dirsearch - I prefer dirsearch over other directory and file brute forcing tools. This is completely a personal preference.
• PayloadsAllTheThings - I have seen others reference this as a wordlist. While some of their content can be used this way. You really need to read through the payloads, figure out what you need for the job at hand, and then use the chosen payload. These are not spray and pray.

Tips & Tricks

• Always forget how to unzip rockyou.txt?

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

• When running into issues with Gopher protocol requests for SSRFs: spin up a server on your machine and send the request to yourself to see how it is formatted. Make sure that your request is formatted in a way that looks the same as what the server is expecting a client to send. Ex. if you can send a request to a page, look at how the request is formatted in your Burp history then try to make your Gopher request to adopt the same formatting.
• When you believe a CSRF is present, enumerate the possible actions you could get the victim to execute and then perform that action yourself, if possible. By performing it yourself you can see how the parameters and values are formatted in your Burp history. Use that data to craft your payload.
• Seclists - raft series for discovery are your friend, not just in OffSec courses/exams but in the real-world.
• If you're tools support it, route them through BurpSuite so you have the traffic history as well as so you can see the responses.
  • Have a python script and need to proxy it? I wrote a guide to that here

Practice Labs/Resources

• PortSwigger Academy IMO, their content is better at building the fundamentals and understand of the vuln classes than OffSec's content. If you get stuck with a concept using OffSec's materials, check these out. Not all of their content is fully built at the moment (late 2022) but they are always adding new stuff.
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • External XML Entities (XXE)
  • Cross-origin Resource Sharing (CORS)
  • Server-Side Request Forgery (SSRF)
  • Command Injection
  • Server-Side Template Injection (SSTI)
  • Directory Traversal
  • Insecure Direct Object References (IDOR)
• Perspective Risk's Practical SQL injection Cheat Sheets. REALLY GOOD. I like their cheatsheets more than any of the others that are out there at the moment.
  • MySQL SQL Injection
  • MSSQL SQL Injection
• SQLZoo Thorough SQL Tutorial.
• Proving Grounds/VulnHub Boxes - links are to the VulnHub versions if available.
  • FunboxEasyEnum
  • inclusiveness
  • potato
  • sumo
  • shakabra - PG only
  • hawat - PG only
• Do the Challenges from the course. They are probably the best examples of what you will see.
• HackTricks - Great resource for all things pentesting but specifically each of the vulnerability classes found in this course is contained within.
• Six2Dez's Pentest Book Another great overall resource for pentesting which contains a good deal of information on the specific vulnerability classes found in this course.

Articles

• Reconshell.com's Awesome SSRF Write Ups Article
• ansar0047's Blind SQL Injection Cheat Sheet
• Infosec Writeups SSRF Guide
• SQLMap Cheat Sheet
• PortSwigger's SSTI Research