Thanks man! This really put some stress of my shoulders and motivated to go through with the exam. You're very clear in explanation. Also, 1 year late, congratulations.
Great video, I am about to enter the OSWE. I did OSCP about 3 years ago but forgotten most of it. I also notice you have 9.99k Subscribers! So close to 10K
DO you think after finishing the oswe it is better to start looking for a job with the oswe or it will be better if i used what i learnt in it in some bug bounties ?
You will most likely not use much of your OSWE knowledge during bug bounties, because the OSWE mainly focuses on source code analysis, whereas in bug bounty you usually don't have the source! Go and apply for a job! Good luck 😇
Do we need to write a listener for the exploits for reverse shell callbacks or can we just say along with our script that the user running needs to run their own listener like nc? Nice video btw. I just signed up for the course
nc is enough for you to test your exploit. The pdf guide will also walk you through that process. The exam is not bringing in any new elements. Hence, once you understand the pdf, you are also ready for the exam. Good luck on the course 💪🏼 have fun
Any advice for using debug print statements when reviewing source code? I know it’s mentioned in the OSWE in terms of using it. I haven’t found much for resources on how to do it effectively or at all.
I just sometimes use them to print the value of a specific parameter. This is often times faster than constantly debugging the code for the same. Do you have anything more specific regarding debug statements that you are wondering about?
If we are not allow to copy application files to kali, how can we remote debug? In the pdf, we copy application folder to kali then edit launch.json and remote debug using vscode...
can we take help from our own material during exam.? can we look back to our related video during exam ? can we use our script provided for OSWE labs ?
Do you mean simulating a victim who falls for your payload? If that is needed, it will be available. You also can browse the exam machine. You only can't ssh or rdp to it.
I don't have programming knowledge skills, I am understand little bit of java and python, should I learn all programming languages or can I stick to any programming language and in depth of that programming language, one more doubt how many months to complete all programming languages
Hi, How much development background is required ? Did you do any prep work before starting labs ? And is doing crash course on each language before starting exam is sufficient ? Thanks for awesome video 👍
In my opinion no background is required at all. I don't have any development background other than writing little Python scripts and hacking tools. What helped me was setting up a couple of web apps of Github by myself. I used that to understand how different people code and how they structure their source. During the course, you will also be forced to read up a ton on a the programming languages in use. Don't worry too much about knowing everything. I literally googled something programming language related every 15 min during the exam.
Thanks for the video! It was very informative! I have a question about how you reviewed the source code of the vulnerable applications. So currently I'm using SSH to connect to the target machines and once I'm inside, I'm using the normal "grep" and "cat" commands to find an view files of the code. I heard you mention using VS CODE. How are you implementing this? Are you installing it onto the vulnerable target machines and then reviewing the code there?
Nope, first of all, the vulnerable machines already had VScode installed. If not, you can just install it. But I had it installed on my local machine and used remote debugging. Look up VScode remote debugging on Google. There's lots of information how that works. Just make sure to get comfortable with the setup prior to the exam as this sometimes is a little tricky. Also the course PDF talks about it if I remember correctly.
You will have to script your own exploits, so yes, you should have a good understanding. If you can script all the exploits in the course book, you are fine!
Absolutely, the exam was in no way harder than the lab machines. If you manage to do the extra miles by yourself without cheating, then you definitely have enough skills to pass the exam.
Not necessarily. You can connect to the debug machine via xrdp and debug the code there. Also check out vscode's Remote - SSH extension which is quite handy 😊
Hello! Thanks for the video. I would like to ask you about for how long you have been preparing for the exam and if you think that with 3 months plan it's enough. Thanks!
I took quite some time to finish the entire labs. After that, I guess I have invested another 2 months study. 3 months studying for the exam with proper base knowledge should be enough though :)
that was a good review... you've answered alot of questions... i have done oscp and now preparing for oswe... i have very less experience with .net and java... do we have to write code in .net and java?
It helps to be able to write tiny helper classes in e.g. JAVA which you are then calling out of Python. But no, you don't have to be an avid Java or .Net coder.
why do you think that happens? i got inteviewd by a company and they ask me both ad pentesting and web app but was like they cared more about the web app pentesting. What is your thoughts is the price worth it vs the ewapt from ine?
Was it a consultancy company doing pentests for clients? If yes, easy, most clients wanna have their web apps tested for compliancy reason. If you are signing up for an internal security team, it might look completely different.
@@Hacksplained they tested me in both web app knowledge and internal it was a security consultant junior position. They also tested my knowledge live in there virtual environment which was so stressfull
Thanks for sharing, i want to get oswe . is the oswe same as oscp ? in my mind oswe is source code review to get shell and doing priv esc? is that correct ?
Hey there :) No, they are definitely not the same. You can find all differences over here: www.offensive-security.com/courses-and-certifications/ But yeah, OSWE is definitely very source code review heavy!
Have you done Pentester Lab Pro? If yes, here's a questions. If I really wanna learn advanced web pentesting stuff, do you think I should go for OSWE or buy pro at Pentesterlab, assuming money isn't a problem. Which one has better content, is what I really wanna know. Thank you. Edit: Has the knowledge gained from OSWE helped you look for bugs in sites and get paid? How does the knowledge help you actually?
Hey there, I have been doing both in the past yeap. You cannot compare them in my opinion. Pentesterlab Pro is probably giving you more insights into a broader spectrum of vulnerabilities. With that, you have more knowledge for bug bounty programs. They are both great though. OSWE is a little more helpful if you want to find a job in a country where they are really caring about certificates. The knowledge has helped me to understand the technical details of web apps and with that you have an easier time searching for vulnerabilities.
Hi bro, great video. When you said there wont be anything in the exam that isnt taught, does that mean there may be variations of the same exploits or no? Such as binary deserializations
Yeap. So all the vulnerablities that show up in the exam have been talked about as well in the PDF. Obviously the way to exploit them is going to vary a bit (different web app, different params, different code), but you should be ready to find the flaw once you have fully understood the PDF.
Well you definitely can make use of that knowledge but for bug bounties, I would rather recommend portswiggers web app academy. Go through one lab after another and try it against real targets using Intigriti.
You will most likely have an easier job to pass HR. However, you'd still have to go through multiple interview rounds at a good company. I have another video with typical interview questions which you can use to prepare. If you master all that, you should end up having a job! Good luck on your journey 🔥
Hi. Congrats. I have a couple of questions. 1. How much experience (in your opinion) should a person have in dev background and in pen test background in order to successfully pass the exam? 2. Are you allowed to google stuff while taking the exam? Thanks.
Hey :) 1. I am not a DEV. Programming language know-how is helpful as with everything else in this world but it's not a must to start this course. 2. Absolutely :) hahah But still make sure to have your scripts ready during the exam. The PDF contains a ton of knowledge. Make the scripts re-usable and have them ready!!
Thanks for the video....I have two questions...I just finished OSCP and was thinking of doing this OSWE but at what level would you say your programing skills should be in? Like do I need to be able to code as a developer to be able to pass OSWE or is "basic knowledge" enough? Second question: Would you say that the lab environmet you get is a good practise to pass the exam or do you end up using third parties platforms like maybe HTB DMWA or juice-shop alot?
Basic programming know how was enough. I don't code in any of the languages that are part of the cert. The PDF teaches you all you need to know. I didn't even finish all the boxes in time. Hence, I was also not doing anything on HTB, THM, etc :)
People have different opinions here, but I say no. They teach completely different topics. Look at the syllabus of both courses and take the one that sparks your interest more!
OS does not matter at all. Whatever you are feeling more comfortable with. If you e.g. need any tool that only exists on Linux, you can e.g. always use the Linux subsystem for Windows in case you are a Windows user.
Thank you Pascal for this video. I am preparing for OSCP. I am practicing in TryHackMe and HackTheBox. Will you do OSCP after this.??? How much time you took to prepare yourself before enrolling into AWAE.?? Where did you practice for AWAE..??
You are welcome :) No, the OSCP is more infrastructure hacking based. I am also having a SANS GPEN certification, which is similar to the OSCP. But no, I am not going to get OSCP certified. I did not take any time to prepare before enrolling. I enrolled, did all the boxes and then asked myself what I was still missing. In the meantime, my lab access was already gone. So, I stated using different materials to learn a bit more like Portswiggers web app sec academy or Pentesterlab.
Ask more questions :) I am here to help!!
Oh I will be! Keep up the good work homie!
1. If I purchase the 5400 $ yearly subscription, is this exam / course included?
2. Do I need prior coding experience!
Congratulations on getting the OSWE Pascal! And also great video! 👏🏻
Thank you!! 😁 Hope I could help a bit with it!
Thanks man!
This really put some stress of my shoulders and motivated to go through with the exam.
You're very clear in explanation.
Also, 1 year late, congratulations.
Also I'm watching this 1 year later.
This channel is a hidden gem.
Thank you so much :) Spread the word!!
Just wanted to thank you for your positive energy. keep going dude
Thanks for the insights here. I'm debating whether or not I should tackle this cert once I finish my OSCP!
Absolutely, go for it :) This is an excellent certification for a cheap price. Overall, very well taught!
Great video, I am about to enter the OSWE. I did OSCP about 3 years ago but forgotten most of it. I also notice you have 9.99k Subscribers! So close to 10K
Thanks for the feedback 😇
Yeah, the 10k will come in today 🔥🔥
I Waited for this video
congratulation for complete OSWE
Thank you very much :)
DO you think after finishing the oswe it is better to start looking for a job with the oswe or it will be better if i used what i learnt in it in some bug bounties ?
You will most likely not use much of your OSWE knowledge during bug bounties, because the OSWE mainly focuses on source code analysis, whereas in bug bounty you usually don't have the source!
Go and apply for a job! Good luck 😇
Do we need to write a listener for the exploits for reverse shell callbacks or can we just say along with our script that the user running needs to run their own listener like nc? Nice video btw. I just signed up for the course
nc is enough for you to test your exploit. The pdf guide will also walk you through that process. The exam is not bringing in any new elements.
Hence, once you understand the pdf, you are also ready for the exam.
Good luck on the course 💪🏼 have fun
Any advice for using debug print statements when reviewing source code? I know it’s mentioned in the OSWE in terms of using it. I haven’t found much for resources on how to do it effectively or at all.
I just sometimes use them to print the value of a specific parameter. This is often times faster than constantly debugging the code for the same.
Do you have anything more specific regarding debug statements that you are wondering about?
I think I understand what you mean. Still could see value of you showing that. Maybe if you have other tips that come along with it.
Thanks that is very helpful!!
Thanks for the feedback 😇
Whats more marketable in todays time, Infrastructure pentesting (networks) or web app pentesting? Both?
I would not say one or the other. Both is needed. However, I personally think that web app has a slight edge over the other.
@@Hacksplained thank you for answering :)
@@lIlIllll1 Of course :)
Will the oswe help me in white box bug bounty hunting ?
Yes, that's pretty much what the OSWE is all about!
If we are not allow to copy application files to kali, how can we remote debug?
In the pdf, we copy application folder to kali then edit launch.json and remote debug using vscode...
I have used the vscode ssh extension for that. There are also run configs available which only need to be slightly adapted.
@@Hacksplained ah! I got it
Thanks so much
can we take help from our own material during exam.?
can we look back to our related video during exam ?
can we use our script provided for OSWE labs ?
How do we trigger xss on the exam machine?
I think we can trigger xss on the debug machine, but I'm not sure how to trigger xss on the exam machine
Do you mean simulating a victim who falls for your payload?
If that is needed, it will be available. You also can browse the exam machine. You only can't ssh or rdp to it.
What is needed before starting the course
how many machines do u have to break in the exam
I don't have programming knowledge skills, I am understand little bit of java and python, should I learn all programming languages or can I stick to any programming language and in depth of that programming language, one more doubt how many months to complete all programming languages
I am from China.Does the videos Offensive Security provided has subtitle?Thanks.
English ones for sure. Don't kno about others right now.
Whats your take on skipping the OSWA & straight to the OSWE
Hi, How much development background is required ? Did you do any prep work before starting labs ? And is doing crash course on each language before starting exam is sufficient ?
Thanks for awesome video 👍
In my opinion no background is required at all. I don't have any development background other than writing little Python scripts and hacking tools. What helped me was setting up a couple of web apps of Github by myself. I used that to understand how different people code and how they structure their source.
During the course, you will also be forced to read up a ton on a the programming languages in use.
Don't worry too much about knowing everything. I literally googled something programming language related every 15 min during the exam.
Thanks for the video! It was very informative! I have a question about how you reviewed the source code of the vulnerable applications. So currently I'm using SSH to connect to the target machines and once I'm inside, I'm using the normal "grep" and "cat" commands to find an view files of the code. I heard you mention using VS CODE. How are you implementing this? Are you installing it onto the vulnerable target machines and then reviewing the code there?
Nope, first of all, the vulnerable machines already had VScode installed. If not, you can just install it.
But I had it installed on my local machine and used remote debugging.
Look up VScode remote debugging on Google. There's lots of information how that works. Just make sure to get comfortable with the setup prior to the exam as this sometimes is a little tricky.
Also the course PDF talks about it if I remember correctly.
@@Hacksplained Thank you!
VSCode has "Remote Explorer" feature which you can connect it to your target via SSH (if you're working from your host)
Do i need to know how to write every script in the course or just i have to understand it ?
You will have to script your own exploits, so yes, you should have a good understanding. If you can script all the exploits in the course book, you are fine!
How'd you find your exam matched up with the lab machines; did you find the lab a good representation of what to expect?
Absolutely, the exam was in no way harder than the lab machines. If you manage to do the extra miles by yourself without cheating, then you definitely have enough skills to pass the exam.
Which certifications focused on web vulnerabilities do you think that worth it?
I really liked the OSWE. I personally don't have another web app vuln one, but I have heard good things about the INE certs.
Hello
On the even, do I need to remote debug for Java?
Not necessarily. You can connect to the debug machine via xrdp and debug the code there.
Also check out vscode's Remote - SSH extension which is quite handy 😊
@@Hacksplained Thanks! I will check vscode remote ssh extension!
Can i use Google during exam? How many time use every day to prepare the exam?
Do we allowed to use ide like vscode to read the source code ?
Of course 😇 would be terrible otherwise
Hello! Thanks for the video. I would like to ask you about for how long you have been preparing for the exam and if you think that with 3 months plan it's enough. Thanks!
I took quite some time to finish the entire labs. After that, I guess I have invested another 2 months study.
3 months studying for the exam with proper base knowledge should be enough though :)
that was a good review... you've answered alot of questions... i have done oscp and now preparing for oswe... i have very less experience with .net and java...
do we have to write code in .net and java?
It helps to be able to write tiny helper classes in e.g. JAVA which you are then calling out of Python.
But no, you don't have to be an avid Java or .Net coder.
why do you think that happens? i got inteviewd by a company and they ask me both ad pentesting and web app but was like they cared more about the web app pentesting. What is your thoughts is the price worth it vs the ewapt from ine?
Was it a consultancy company doing pentests for clients? If yes, easy, most clients wanna have their web apps tested for compliancy reason.
If you are signing up for an internal security team, it might look completely different.
@@Hacksplained they tested me in both web app knowledge and internal it was a security consultant junior position. They also tested my knowledge live in there virtual environment which was so stressfull
@@georgesotiriadis2763 i can imagine. Interviews can be tough and terrible if done wrongly.
What was the outcome?
@@Hacksplained I didn't get the job and they said me to do more hsckthebox and level up .my web app skills
@@georgesotiriadis2763 sorry to hear 😬 but yeah, definitely go for more of those labs and you'll a good gig in no time 🔥
what websites do you recommend for open source bug bounties ?
The best bug bounty platform is Intigriti but in general very little programs share source code!
But you might be interested in hackerone.com/ibb
Thanks for sharing, i want to get oswe . is the oswe same as oscp ? in my mind oswe is source code review to get shell and doing priv esc?
is that correct ?
Hey there :)
No, they are definitely not the same. You can find all differences over here: www.offensive-security.com/courses-and-certifications/
But yeah, OSWE is definitely very source code review heavy!
thank you so much!
You're welcome!
Have you done Pentester Lab Pro? If yes, here's a questions. If I really wanna learn advanced web pentesting stuff, do you think I should go for OSWE or buy pro at Pentesterlab, assuming money isn't a problem. Which one has better content, is what I really wanna know. Thank you.
Edit: Has the knowledge gained from OSWE helped you look for bugs in sites and get paid? How does the knowledge help you actually?
Hey there, I have been doing both in the past yeap. You cannot compare them in my opinion. Pentesterlab Pro is probably giving you more insights into a broader spectrum of vulnerabilities. With that, you have more knowledge for bug bounty programs.
They are both great though. OSWE is a little more helpful if you want to find a job in a country where they are really caring about certificates.
The knowledge has helped me to understand the technical details of web apps and with that you have an easier time searching for vulnerabilities.
@@Hacksplained Thank you, what is the probability of securing a job right after i have completed the OSWE certification?
Hi bro, great video. When you said there wont be anything in the exam that isnt taught, does that mean there may be variations of the same exploits or no? Such as binary deserializations
Yeap. So all the vulnerablities that show up in the exam have been talked about as well in the PDF. Obviously the way to exploit them is going to vary a bit (different web app, different params, different code), but you should be ready to find the flaw once you have fully understood the PDF.
@@Hacksplained Hello thanks you for your time I will buy Learn
Fundamentals option which is 799 how they teach is it based on pdf or videos ?
Could you list some machines similar to the exam
I cannot give away too much about the exam, but if you manage to complete all the ones out of the PDF, you are all set :)
hi great video, do you believe that with the content you learned you can get started with web app bug bounties?
Well you definitely can make use of that knowledge but for bug bounties, I would rather recommend portswiggers web app academy.
Go through one lab after another and try it against real targets using Intigriti.
Which one is better oscp or oswe??
Depends on what you want to learn. Network hacking - OSCP; Source Code Review - OSWE.
They are both good and worth their money!
bro 403 in subdomain how can i explote it plzz reply
There is no single answer for that my friend. Depends on so many different aspects.
WILL I GET A JOB AFTER AFTER CLEARING OSWE?
You will most likely have an easier job to pass HR. However, you'd still have to go through multiple interview rounds at a good company.
I have another video with typical interview questions which you can use to prepare.
If you master all that, you should end up having a job!
Good luck on your journey 🔥
@@Hacksplained WOW THAT WAS FAST.. THANK YOUU FOR YOUR REPLY ❤️
@@armwrestlingjourney7408 you are welcome 🤙🏼
Hi. Congrats. I have a couple of questions.
1. How much experience (in your opinion) should a person have in dev background and in pen test background in order to successfully pass the exam?
2. Are you allowed to google stuff while taking the exam?
Thanks.
Hey :)
1. I am not a DEV. Programming language know-how is helpful as with everything else in this world but it's not a must to start this course.
2. Absolutely :) hahah But still make sure to have your scripts ready during the exam. The PDF contains a ton of knowledge. Make the scripts re-usable and have them ready!!
Thanks for the video....I have two questions...I just finished OSCP and was thinking of doing this OSWE but at what level would you say your programing skills should be in? Like do I need to be able to code as a developer to be able to pass OSWE or is "basic knowledge" enough?
Second question: Would you say that the lab environmet you get is a good practise to pass the exam or do you end up using third parties platforms like maybe HTB DMWA or juice-shop alot?
Basic programming know how was enough. I don't code in any of the languages that are part of the cert.
The PDF teaches you all you need to know. I didn't even finish all the boxes in time. Hence, I was also not doing anything on HTB, THM, etc :)
@@Hacksplained Thx for reply :)
Good stuff here
Cheers :)
oscp best for india ? what you think bro..
Depends on the job you want to land and where
@@Hacksplained Thanx 😊
Is the OSCP recommended to take before the OSWE?
People have different opinions here, but I say no. They teach completely different topics. Look at the syllabus of both courses and take the one that sparks your interest more!
@@Hacksplained Thanks!
Thanks
Which OS do you suggest for OSWE? KALI or Windows? BTW congrats on passing OSWE
OS does not matter at all. Whatever you are feeling more comfortable with. If you e.g. need any tool that only exists on Linux, you can e.g. always use the Linux subsystem for Windows in case you are a Windows user.
Hi Pascal 👋🙋
Hi Sebastian :D
Thank you Pascal for this video.
I am preparing for OSCP. I am practicing in TryHackMe and HackTheBox.
Will you do OSCP after this.???
How much time you took to prepare yourself before enrolling into AWAE.??
Where did you practice for AWAE..??
You are welcome :)
No, the OSCP is more infrastructure hacking based. I am also having a SANS GPEN certification, which is similar to the OSCP. But no, I am not going to get OSCP certified.
I did not take any time to prepare before enrolling. I enrolled, did all the boxes and then asked myself what I was still missing. In the meantime, my lab access was already gone. So, I stated using different materials to learn a bit more like Portswiggers web app sec academy or Pentesterlab.
I didn't know Magnus Carlsen is into Cyber Security
and can we listen Songs During Exam 😂
of course :)