OSWE/AWAE Preparation: Complete Study Guide

OSWE Exam Preparation

I passed OSWE in 2020 after completing the AWAE course. This guide has been maintained and updated since then as the exam evolves. Everything here is what I actually used — not just collected links.

Last updated: June 2025. Added PortSwigger Web Security Academy as primary free resource and noted outdated links.

Exam info: 48-hour practical exam, multiple vulnerable web apps, requires white-box source code review and working exploit development. No metasploit. No automated scanners.

Prerequisites: OSCP completed, comfortable with Python scripting, basic understanding of web app architecture | Difficulty: Hard | Pass rate: ~15-20%

My Exam Strategy

A few things I wish someone had told me before I sat the exam:

Source code review is the exam. The vulnerability is always there — your job is to find it by reading code, not by fuzzing. Get fast at reading PHP, Java, and .NET code before you register.

Automate your exploits end-to-end. The exam expects a working script that goes from unauthenticated to RCE in one run. Practice writing these during lab time, not figuring it out during the exam.

Time management is critical. In a 48-hour exam, sleep. Seriously. A rested 6-hour block is worth more than pushing through exhausted. Plan for 8 hours of sleep and still have plenty of time.

The lab machines are your best prep. Do every lab machine twice — once to understand the vulnerability, once to write a clean automated exploit.

Course Syllabus:

https://www.offensive-security.com/documentation/awae-syllabus.pdf

Before registering for AWAE Lab:

• Get comfortable with python requests library
• Read Web Application Hacker’s handbook, again if you already did
• Get familiar with Burpsuite
• Get familiar with regex
• Get hands on with OWASP top 10 2017 Vulnerabilities
  • Vulnerable Apps for practice on OWASP
  • Portswigger WebSecAcademy
• Practice code review skills - OWASP SKF

Before registering for the OSWE Exam:

• XSS to RCE

  • AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting
  • Chaining XSS, CSRF to achieve RCE
  • Code analysis to gaining RCE
  • Magento 2.3.1: Unauthenticated Stored XSS to RCE
  • Mybb 18.20 From Stored XSS to RCE

• Bypassing File Upload Restrictions:

  • [Paper] File Upload Restrictions Bypass
  • Shell the web - Methods of a Ninja
  • Unrestricted File Upload
  • Atlassian Crowd Pre-auth RCE
  • Popcorn machine from HackTheBox
  • Vault machine from HackTheBox

• Authentication Bypass to RCE

  • ATutor 2.2.1 Authentication Bypass
  • ATutor LMS password_reminder TOCTOU Authentication Bypass
  • ATutor 2.2.1 - Directory Traversal / Remote Code Execution
  • Cubecart Admin Authentication Bypass
  • Trendmicro smart protection bypass to RCE

• Password Reset Vulnerability

  • Testing Password rest functionalities
  • OWASP - Forgot Password Cheatsheet
  • How we hacked multiple user accounts using weak reset tokens for passwords

• SQL Injection:

  • RCE with SQL Injection - MSSQL
  • SQL Injection to LFI to RCE - MySQL
  • From SQLi to SHELL (I and II) - PentesterLab
  • Pre-Auth Takeover of OXID eShops
  • Blind SQL Injection
  • [Paper] PostgreSQL Injection
  • Having Fun With PostgreSQL
  • Blind Postgresql Sql Injection Tutorial
  • SQL Injection Cheat Sheet - PentestMonkey
  • SQL Injection Cheat Sheet - PayloadAllTheThings
  • Exploiting H2 SQL injection to RCE

• JavaScript Injection:

  • Server Side JS Injection
  • Remote Code Execution in math.js
  • Arbitrary code execution in fast-redact
  • NVIDIA GeForce Experience OS Command Injection - CVE-2019-5678
  • SetTimeout and SetInterval use eval therefore are evil
  • Pentesting Node.js Application : Nodejs Application Security
  • NodeJS remote debugging with vscode
  • Escape NodeJS Sandboxes

• PHP Type Juggling:

  • OWASP - PHPMagicTricks TypeJuggling
  • PHP Type Juggling - Introduction
  • Type Juggling, PHP Object Injection, SQLi
  • Writing Exploits For PHP Type Juggling
  • Type Juggling Authentication Bypass Vulnerability in CMS Made Simple
  • PHP Magic Hashes
  • Detailed Explanation of PHP Type Juggling Vulnerabilities
  • [Video] PHP Type Juggling Vulnerabilities, Netsparker
  • [Video] Falafel machine from HackTheBox

• Deserialization:

  • Deserialization_Cheat_Sheet

  • Insecure deserialization - PayloadAllthethings

  • [Paper] Deserialization Vulnerability

  • Serialization : A Big Threat

  • JAVA Deserialization

    • Understanding & practicing java deserialization exploits
    • Understanding JAVA Deserialization
    • Exploiting blind Java deserialization with Burp and Ysoserial
    • Details on Oracle Web Logic Desrialization
    • Analysis of Weblogic Deserialization
    • [Video] Matthias Kaiser - Exploiting Deserialization Vulnerabilities in Java

  • .NET Deserialization

    • Use of Deserialization in .NET Framework Methods and Classes.
    • Exploiting Deserialisation in ASP.NET via ViewState
    • Remote Code Execution via Insecure Deserialization in Telerik UI
    • [Video] Friday the 13th: JSON Attacks - BlackHat
    • [Paper] Are you My Type?
    • [Video] JSON Machine from HackTheBox - Ippsec

  • PHP Object Injection/Deserialization

    • What is PHP Object Injection
    • phpBB 3.2.3: Phar Deserialization to RCE
    • Exploiting PHP Desrialization
    • Analysis of typo3 Deserialization Vulnerability
    • Attack Surface of PHP Deserialization Vulnerability via Phar
    • [Video] Intro to PHP Deserialization / Object Injection - Ippsec
    • [Video] Advanced PHP Deserialization - Phar Files - Ippsec
    • [Video] Exploiting PHP7 unserialize (33c3)

  • NodeJS Deserialization

    • Exploiting Node.js deserialization bug for Remote Code Execution
    • The good, the bad and RCE on NodeJS applications
    • Attacking Deserialization in JS
    • Node.js Deserialization Attack – Detailed Tutorial
    • [Video] Celestial machine from HackTheBox - Ippsec

• XML External Entity (XXE) Attack

  • A Deep Dive into XXE Injection
  • From XXE to RCE: Pwn2Win CTF 2018 Writeup
  • Blind XXE to RCE
  • Apache Flex BlazeDS XXE Vulnerabilty
  • WebLogic EJBTaglibDescriptor XXE

• Server Side Template Injection (SSTI)

  • [Portswigger Research] Server Side Template Injection
  • [Video] SSTI : RCE For The Modern Web App - albinowax
  • Server Side Template Injection
  • Jinja2 template injection filter bypasses
  • Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3

• WebSockets InSecurity

  • Introduction to WebSockets
  • [Video] Hacking with Websocket - BlackHat
  • Remote Hardware takeover via Websocket Hijacking
  • Cross-Site WebSocket Hijacking to full Session Compromise

• Source Code Audit

  • Introduction to Code Review [PentesterLab]
  • Static code analysis writeups
  • TrendMicro - Secure Coding Dojo
  • Bug Hunting with Static Code Analysis [Video]
  • Shopify Remote Code Execution - Hackerone
  • Finding vulnerabilities in source code ( APS.NET)
  • A deep dive into ASP.NET Deserialization
  • Writeups by mr_me

• Youtube Playlist

  • https://www.youtube.com/watch?v=Xfbu-pQ1tIc&list=PLwvifWoWyqwqkmJ3ieTG6uXUSuid95L33

• 2025 Updates — What’s Changed

  The core exam format and vulnerability classes haven’t changed dramatically since 2020, but the tooling and resources have improved significantly:

  • PortSwigger Web Security Academy is now the single best free resource for OSWE prep — covers every vulnerability class with interactive labs. Prioritise this over most other resources below.
  • blog.ripstech.com is now Sonar Research (sonarsource.com/blog) — the old links still work but check the new blog for recent PHP/Java audit content.
  • The OWASP Top 10 links below reference the 2017 version — the 2021 version is current but the vulnerability classes relevant to OSWE haven’t changed materially.
  • PayloadsAllTheThings remains the most useful single reference — bookmark it.

• Further References/Reviews

  • From AWAE to OSWE the preperation guide - hansesecure
  • OSWE Exam Review 2020 Notes gifts inside - 21y4d
  • OSWE Cheat Sheet - V1s3r1on
  • wetw0rk/AWAE-PREP
  • https://codewhitesec.blogspot.com/
  • https://blog.ripstech.com/
  • https://rhinosecuritylabs.com
  • PortSwigger Web Security Academy — Best free structured learning resource, covers all OSWE-relevant topics with labs
  • Sonar Research Blog — Successor to blog.ripstech.com, excellent code audit writeups
  • PayloadsAllTheThings — Most comprehensive payload reference