Modern web applications present an attack surface that has unquestionably continued to grow in importance over the last decade. With the security improvements in network edge devices and the reduction of successful attacks against them, web applications, along with social engineering, arguably represent the most viable way of breaching the network security perimeter.
The desire to provide end-users with an ever-increasingly rich web experience has resulted in the birth of various technologies and development frameworks that are often layered on top of each other. Although these designs achieve their functional goals, they also introduce complexities into web applications that can lead to vulnerabilities with high impact.
In this course, we will focus on the exploitation of chained web application vulnerabilities of various classes, which lead to a compromise of the underlying host operating system. As a part of the exploit development process, we will also dig deep into the methodologies and techniques used to analyze the target web applications. This will give us a complete understanding of the underlying flaws that we are going to exploit.
Ultimately, the goal of this course is to expose you to a general and repeatable approach to web-application vulnerability discovery and exploitation, while continuing to strengthen the foundational knowledge that is necessary when faced with modern-day web applications.
0.1 About the AWAE Course
This course is designed to develop, or expand, your exploitation skills in web application
Web services have become more resilient and harder to exploit. In order to penetrate today's modern networks, a new approach is required to gain that initial critical foothold into a network.
Penetration testers must be fluent in the art of exploitation when using web based attacks. This intensive hands-on course will take your skills beyond run-of-the-mill SQL injection and file
inclusion attacks and introduce you into a world of multi-step, non-trivial web attacks. This web application security training will broaden your knowledge of web service architecture in order to help you identify and exploit a variety of vulnerability classes that can be found on the web today.
The AWAE course is made up of multiple parts. A brief overview of what you should now have access to is below:
- The AWAE course materials
- Access to the internal VPN lab network
- Student forum credentials
- Live support
AWAE course materials: comprised of a lab guide in PDF format and the accompanying course videos. The information covered in both the lab guide and videos overlaps, which allows you to watch what is being presented in the videos in a quick and efficient manner, and then reference the lab guide to fill in the gaps at a later time.
In some modules, the lab guide will go into more depth than the videos but the videos are also able to convey some information better than text, so it is important that you pay close attention to both. The lab guide also contains exercises at the end of each chapter, as well as extra miles for those students who would like to go above and beyond what is required in order to get the most out of the course.
Access to the internal VPN lab network: your welcome package, which was sent to you via email on your course start date, should have included your VPN credentials and the corresponding VPN connectivity pack. When used together, these enable you to connect to, and access, the internal VPN lab network, where you will be spending a considerable amount of time. Lab time starts when your course begins, and is in the form of continuous access. Lab time cannot be paused without a valid reason.
A lab extension may also be purchased at any time using your personalized purchase link, which you should have also received via email. If a lab extension is purchased while your lab access is still active, additional time will be added to your existing access and you may continue to use the same VPN connectivity pack. If a lab extension is purchased after your existing lab access has already ended, you will be sent a new VPN connectivity pack within one hour of payment having been processed.
The Offensive Security Student Forum: The student forum is only accessible to Offensive Security students. Your forum credentials were also part of your welcome package; please check your email to ensure you have them. Forum access is permanent and does not expire when your lab time ends.
By using the forum, you are able to freely communicate with your peers to ask questions, share interesting resources, and offer tips and nudges as long as there are no spoilers (due to the fact they may ruin the overall course experience for others). Please be very mindful when using the forums, otherwise the content you post may be moderated.
Live Support: The support system allows you to directly communicate with our student administrators, who are members of the Offensive Security staff. Student administrators will primarily assist with technical issues; however, they may also clear up any doubts you may have regarding the course material or the corresponding course exercises. Moreover, they may occasionally provide with you a nudge or two if you happen to be truly stuck on a given exercise,provided you have already given it your best try. It is important to note that the information provided by them will be based on the amount of detail you provide them. The more detail you provide in terms of things you have already tried and the outcome, the better.
In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.
- Explore unique challenges and vulnerabilities related to web applications
- Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
- Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
0.2 Our Approach
Students who have taken our introductory PWK course will find this course to be significantly different. The AWAE labs are less diverse and contain a few test case scenarios that the course focuses on. Moreover, a set of dedicated virtual machines hosting these scenarios will be available to each AWAE student to experiment with the course material. In few occasions, explanations are intentionally vague in order to challenge you and ensure the concept behind the module is clear to you.
How you approach the AWAE course is up to you. Due to the uniqueness of each student, it is not practical for us to tell you how you should approach it, but if you don't have a preferred learning style, we suggest you:
- 1. Read the emails that were sent to you as part of your welcome package
- 2. Start each module by reading the chapter in the lab guide and getting a general familiarity with it
- 3. Once you have finished reading the chapter, proceed by watching the accompanying video for that module
- 4. Gain an understanding of what you are required to do and attempt to recreate the exercise in the lab
- 5. Perform the Extra Mile exercises. These are not covered in the labs and are up to you to complete on your own
- 6. Document your findings in your preferred documentation environment
You may opt to start with the course videos, and then review the information for that given module in the lab guide, or vice versa. As you go through the course material, you may need to re-watch or re-read modules a number of times prior to fully understanding what is being taught.Remember, it is a marathon, not a sprint, so take all the time you need.
0.3 Obtaining Support
AWAE is a self-paced online course. It allows you to go at your own desired speed, perform additional research in areas you may be weak at, and so forth. Take advantage of this type of setting to get the most out of the course–there is no greater feeling than figuring something out on your own.
The following document contains the lab exercises for the course and should be attempted only inside the Offensive Security secluded lab. Please note that most of the attacks described in the lab guide would be illegal if attempted on machines that you do not have explicit permission to test and attack. Since the lab environment is secluded from the Internet, it is safe to perform the attacks inside the lab. Offensive Security assumes no responsibility for any actions performed outside the secluded lab.
0.5 Offensive Security AWAE Labs
0.5.1 General Information
As noted above, take note that the IP addresses presented in this guide (and the videos) do not necessarily reflect the IP addresses in the Offensive Security lab. Do not try to copy the examples in the lab guide verbatim; you need to adapt the example to your specific lab configuration.You will find the IP addresses of your assigned lab machines in your student control panel within the VPN labs.
There are two types of people: those who regularly back up their documentation, and those who wish they did. Backups are often thought of as insurance - you never know when you're going to need it until you do. As a general rule, we recommend that you backup your documentation regularly as it's a good practice to do so. Please keep your backups in a safe place, as you certainly don't want them to end up in a public git repo, or the cloud for obvious reasons!