AWAE Course Syllabus

  1. 0.
  2. 0.1 About the AWAE Course
  3. 0.2 Our Approach
  4. 0.3 Obtaining Support
  5. 0.4 Legal
  6. 0.5 Offensive Security Labs
  7. 0.6 Backups
  8. 1.
  9. 1.1 Web Traffic Inspection
  10. 1.2 Interacting with Web Listeners with Python
  11. 1.3 Source Code Recovery
  12. 2.
  13. 2.1 Overview
  14. 2.2 Getting Started
  15. 2.3 Atmail Vulnerability Discovery
  16. 2.4 Session Hijacking
  17. 2.5 Session Riding
  18. 2.6 Gaining Remote Code Execution
  19. 2.7 Summary
  20. 3.
  21. 3.1 Overview
  22. 3.2 GetStarted
  23. 3.3 Initial Vulnerability Discovery
  24. 3.4 Brief Review of Blind SQL Injections
  25. 3.5 Digging Deeper
  26. 3.6 Data Exfiltration
  27. 3.7 Subverting the ATutor Authentication
  28. 3.8 Authentication Gone Bad
  29. 3.9 Bypassing File Upload Restrictions
  30. 3.10 Gaining Remote Code Execution
  31. 3.11 Summary
  32. 4.
  33. 4.1 Overview
  34. 4.2 Getting Started
  35. 4.3 PHP Loose and Strict Comparisons
  36. 4.4 PHPString Conversion to Numbers
  37. 4.5 Vulnerability Discovery
  38. 4.6 Attacking the Loose Comparison
  39. 4.7 Summary
  40. 5.
  41. 5.1 Overview
  42. 5.2 Getting Started
  43. 5.3 Vulnerability Discovery
  44. 5.4 Bypassing Character Restrictions
  45. 5.5 Blind Bats
  46. 5.6 Accessing the File System
  47. 5.7 PostgreSQL Extensions
  48. 5.8 UDF Reverse Shell
  49. 5.9 More Shells!!!
  50. 5.10 Summary
  51. 6.
  52. 6.1 Overview
  53. 6.2 Getting Started
  54. 6.3 The Bassmaster Plugin
  55. 6.4 Vulnerability Discovery
  56. 6.5 Triggering the Vulnerability
  57. 6.6 Obtaining a Reverse Shell
  58. 6.7 Summary
  59. 7.
  60. 7.1 Overview
  61. 7.2 Getting Started
  62. 7.3 Introduction
  63. 7.4 Serialization Basics
  64. 7.5 DotNetNuke Vulnerability Analysis
  65. 7.6 Payload Options
  66. 7.7 Putting It All Together
  67. 7.8 ysoserial.net
  68. 7.9 Summary

0. Introduction

Modern web applications present an attack surface that has unquestionably continued to grow in importance over the last decade. With the security improvements in network edge devices and the reduction of successful attacks against them, web applications, along with social engineering, arguably represent the most viable way of breaching the network security perimeter.

The desire to provide end-users with an ever-increasingly rich web experience has resulted in the birth of various technologies and development frameworks that are often layered on top of each other. Although these designs achieve their functional goals, they also introduce complexities into web applications that can lead to vulnerabilities with high impact.

In this course, we will focus on the exploitation of chained web application vulnerabilities of various classes, which lead to a compromise of the underlying host operating system. As a part of the exploit development process, we will also dig deep into the methodologies and techniques used to analyze the target web applications. This will give us a complete understanding of the underlying flaws that we are going to exploit.

Ultimately, the goal of this course is to expose you to a general and repeatable approach to web-application vulnerability discovery and exploitation, while continuing to strengthen the foundational knowledge that is necessary when faced with modern-day web applications.

0.1 About the AWAE Course

This course is designed to develop, or expand, your exploitation skills in web application penetration testing and exploitation research. This is not an entry level course–it is expected that you are familiar with basic web technologies and scripting languages. We will dive into, read,understand, and write code in several languages, including but not limited to JavaScript, PHP, Java, and C#.

Web services have become more resilient and harder to exploit. In order to penetrate today's modern networks, a new approach is required to gain that initial critical foothold into a network.

Penetration testers must be fluent in the art of exploitation when using web based attacks. This intensive hands-on course will take your skills beyond run-of-the-mill SQL injection and file inclusion attacks and introduce you into a world of multi-step, non-trivial web attacks. This web application security training will broaden your knowledge of web service architecture in order to help you identify and exploit a variety of vulnerability classes that can be found on the web today.

The AWAE course is made up of multiple parts. A brief overview of what you should now have access to is below:

  • The AWAE course materials
  • Access to the internal VPN lab network
  • Student forum credentials
  • Live support

AWAE course materials: comprised of a lab guide in PDF format and the accompanying course videos. The information covered in both the lab guide and videos overlaps, which allows you to watch what is being presented in the videos in a quick and efficient manner, and then reference the lab guide to fill in the gaps at a later time.

In some modules, the lab guide will go into more depth than the videos but the videos are also able to convey some information better than text, so it is important that you pay close attention to both. The lab guide also contains exercises at the end of each chapter, as well as extra miles for those students who would like to go above and beyond what is required in order to get the most out of the course.

Access to the internal VPN lab network: your welcome package, which was sent to you via email on your course start date, should have included your VPN credentials and the corresponding VPN connectivity pack. When used together, these enable you to connect to, and access, the internal VPN lab network, where you will be spending a considerable amount of time. Lab time starts when your course begins, and is in the form of continuous access. Lab time cannot be paused without a valid reason.

A lab extension may also be purchased at any time using your personalized purchase link, which you should have also received via email. If a lab extension is purchased while your lab access is still active, additional time will be added to your existing access and you may continue to use the same VPN connectivity pack. If a lab extension is purchased after your existing lab access has already ended, you will be sent a new VPN connectivity pack within one hour of payment having been processed.

The Offensive Security Student Forum: The student forum is only accessible to Offensive Security students. Your forum credentials were also part of your welcome package; please check your email to ensure you have them. Forum access is permanent and does not expire when your lab time ends.

By using the forum, you are able to freely communicate with your peers to ask questions, share interesting resources, and offer tips and nudges as long as there are no spoilers (due to the fact they may ruin the overall course experience for others). Please be very mindful when using the forums, otherwise the content you post may be moderated.

Live Support: The support system allows you to directly communicate with our student administrators, who are members of the Offensive Security staff. Student administrators will primarily assist with technical issues; however, they may also clear up any doubts you may have regarding the course material or the corresponding course exercises. Moreover, they may occasionally provide with you a nudge or two if you happen to be truly stuck on a given exercise,provided you have already given it your best try. It is important to note that the information provided by them will be based on the amount of detail you provide them. The more detail you provide in terms of things you have already tried and the outcome, the better.

In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.

  • Explore unique challenges and vulnerabilities related to web applications
  • Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
  • Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
  • 0.2 Our Approach

    Students who have taken our introductory PWK course will find this course to be significantly different. The AWAE labs are less diverse and contain a few test case scenarios that the course focuses on. Moreover, a set of dedicated virtual machines hosting these scenarios will be available to each AWAE student to experiment with the course material. In few occasions, explanations are intentionally vague in order to challenge you and ensure the concept behind the module is clear to you.

    How you approach the AWAE course is up to you. Due to the uniqueness of each student, it is not practical for us to tell you how you should approach it, but if you don't have a preferred learning style, we suggest you:

    • 1. Read the emails that were sent to you as part of your welcome package
    • 2. Start each module by reading the chapter in the lab guide and getting a general familiarity with it
    • 3. Once you have finished reading the chapter, proceed by watching the accompanying video for that module
    • 4. Gain an understanding of what you are required to do and attempt to recreate the exercise in the lab
    • 5. Perform the Extra Mile exercises. These are not covered in the labs and are up to you to complete on your own
    • 6. Document your findings in your preferred documentation environment

    You may opt to start with the course videos, and then review the information for that given module in the lab guide, or vice versa. As you go through the course material, you may need to re-watch or re-read modules a number of times prior to fully understanding what is being taught.Remember, it is a marathon, not a sprint, so take all the time you need.

  • 0.3 Obtaining Support

    AWAE is a self-paced online course. It allows you to go at your own desired speed, perform additional research in areas you may be weak at, and so forth. Take advantage of this type of setting to get the most out of the course–there is no greater feeling than figuring something out on your own.

  • The following document contains the lab exercises for the course and should be attempted only inside the Offensive Security secluded lab. Please note that most of the attacks described in the lab guide would be illegal if attempted on machines that you do not have explicit permission to test and attack. Since the lab environment is secluded from the Internet, it is safe to perform the attacks inside the lab. Offensive Security assumes no responsibility for any actions performed outside the secluded lab.

  • 0.5 Offensive Security AWAE Labs

    • 0.5.1 General Information

      As noted above, take note that the IP addresses presented in this guide (and the videos) do not necessarily reflect the IP addresses in the Offensive Security lab. Do not try to copy the examples in the lab guide verbatim; you need to adapt the example to your specific lab configuration.You will find the IP addresses of your assigned lab machines in your student control panel within the VPN labs.

  • 0.6 Backups

    There are two types of people: those who regularly back up their documentation, and those who wish they did. Backups are often thought of as insurance - you never know when you're going to need it until you do. As a general rule, we recommend that you backup your documentation regularly as it's a good practice to do so. Please keep your backups in a safe place, as you certainly don't want them to end up in a public git repo, or the cloud for obvious reasons!

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE