OSWE Prep

Syllabus: https://manage.offsec.com/app/uploads/2023/01/WEB-300-Syllabus-Google-Docs.pdf

Tools:

• Burp Suite
• dnSpy:
  • Codingo - Decompiling with dnSpy
  • krypt0mux - Reverse Engineering .NET Applications
• Reverse Shells
  • Reverse Shell Cheat Sheet
  • Upload Insecure Files

Programming Concepts

Concept	What You Should Know:
Data Types	• How are they declared?
	• How can they be casted/converted to other data types?
	• Which data types have the ability to hold multiple sets of data?
Variables & Constants	• Why do some data types need to be dynamic?
	• Why do some data types need to remain constant?
Keywords	• Which words are reserved and why can they not be used as a variable or constant?
Conditional Statements	• How is data compared to create logic?
	• Which operators are used to make these comparisons?
	• How does logic branch from an if/then/else statement?
Loops	• What are loops primarily used for?
	• How is a loop exited?
Functions	• How are functions called?
	• How are they called from a different file in the codebase?
	• How is data passed to a function?
	• How is data returned from a function?
Comments	• Which characters denote the start of a comment?

Web App Concepts

Concept	What You Should Know:
Input Validation	• How do web apps ensure user-provided data is valid? • Which types of data can be dangerous to a web app?
Database Interaction	• What kinds of databases can be used by a web app? • How do database management systems differ? • How does a web app create, retrieve, update, or delete database data?
Authentication	• How does a web app authenticate users? • What are hashes? Why is data often stored as hashes?

Sample Projects for Code Review

Language	Sample Project for Code Review
PHP	• Beginner: Simple PHP Website • Advanced: Fuel CMS
ASP.NET & C#	• Beginner: Simple Web App MVC • Moderate: Reddnet
NodeJS	• Beginner: Employee Database • Moderate: JS RealWorld Example App
Java	• Beginner: Java Web App – Step by Step • Advanced: GeoStore

Vulnerabilities

Vulnerability	Vulnerability Write-up
Cross-Site Scripting (XSS)	• From Reflected XSS to Account Takeover • XSS to Account Takeover • XHR Spec • AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting • Chaining XSS, CSRF to achieve RCE • Code analysis to gaining RCE • Magento 2.3.1: Unauthenticated Stored XSS to RCE • Mybb 18.20 From Stored XSS to RCE
Session Hijacking	• Hijacking Sessions using Socat • PentesterLab XSS and MySQL File
Persistent Cross-Site Scripting	• Acunetix on Persistent XSS • PortSwigger Web Security - XSS
Cross-Site Request Forgery	• OWASP CSRF Prevention Cheat Sheet
XSS and MySQL	• VulnHub Pentester Lab XSS and MySQL File
Bypassing File Upload Restrictions	• Exploit-DB File Upload Restrictions Bypass • Security Idiots - Shell Upload • OWASP Unrestricted File Upload • Popcorn machine from HackTheBox • Vault machine from HackTheBox • [Paper] File Upload Restrictions Bypass • Shell the web - Methods of a Ninja • Unrestricted File Upload • Atlassian Crowd Pre-auth RCE • Popcorn machine from HackTheBox
PHP Type Juggling	• PHP Magic Tricks: Type Juggling • PHP Type Juggling Explained • FoxGloveSecurity PHP Type Juggling • Netsparker PHP Type Juggling • TurboChaos PHP Type Juggling • OWASP Type Juggling Authentication Bypass • PHP.net Type Comparisons • Spaze Hashes • WhiteHatSec Magic Hashes • Falafel machine from HackTheBox
Deserialization	• OWASP Deserialization Cheat Sheet • BlackHat JSON Attacks • Exploit-DB Deserialization • Zer0Nights Deserialization
.NET Deserialization	• BlackHat .NET Serialization • ysoserial.net • dnSpy
Java Deserialization	• Exploiting Blind Java Deserialization • OWASP Java Deserialization • ysoserial • Java Deserialization Cheat Sheet • Practicing Java Deserialization
JavaScript Injection	• NodeGoat Server-Side JS Injection • CapacitorSet MathJS
NodeJS	• Remote Debugging Node with VSCode • Node.js Security Course • Acunetix JS Deserialization • YeahHub Node.js Deserialization Attack • Celestial machine from HackTheBox
SQL Injection	• PentesterLab SQLi to Shell • Acunetix Blind SQLi
PostgreSQL	• PostgreSQL SQL Injection Cheat Sheet • PostgreSQL Shell • PostgreSQL Exploit DB • PostgreSQL String Functions • LinuxTopia PostgreSQL Guide • PostgreSQL Injection Guide • Blind PostgreSQL SQL Injection
Long Readings	• Use of Deserialization in .NET Framework • BlackHat JSON Attacks

More links

• JavaScript For Pentesters
• Edabit (Javascript, Java, PHP)
• From SQL Injection to Shell
• XSS and MySQL
• Understanding PHP Object Injection
• /dev/random: Pipe
• Understanding Java Deserialization
• Practicing Java Deserialization Exploits
• SQL Injection Attacks and Defense