This Friday, November 21st, I’ll be sitting for the OffSec Web Expert (OSWE) exam - my second step toward completing the OSCE³ certification trilogy. After earning my OSEP earlier this year, I’ve been deep in the trenches of web application security, preparing for what many consider one of the most challenging hands-on security certifications available.

The OSWE Challenge

The OSWE (and its associated AWAE course) focuses on advanced web application security and source code review. Unlike many other certifications that test breadth of knowledge, OSWE demands depth - the ability to analyze source code, identify subtle vulnerabilities, and chain them together into working exploits. It’s not about running automated tools; it’s about understanding the “why” behind vulnerabilities at the code level.

My Preparation Strategy

AWAE Coursework

The foundation of my preparation has been the Advanced Web Attacks and Exploitation (AWAE) course material itself. The course provides comprehensive coverage of:

  • White-box web application testing
  • Source code review methodologies
  • Authentication and session management vulnerabilities
  • SQL injection variants and exploitation techniques
  • Cross-site scripting (XSS) in depth
  • Template injection vulnerabilities
  • Deserialization attacks
  • And much more

The AWAE labs are incredibly well-designed, forcing you to read through thousands of lines of code to identify vulnerability chains. This isn’t point-and-click hacking - it’s methodical analysis and exploitation.

PortSwigger Academy

PortSwigger’s Web Security Academy has been an invaluable supplemental resource. The platform offers:

  • Interactive labs covering a wide range of web vulnerabilities
  • Detailed explanations of attack techniques
  • Progressive difficulty levels
  • Real-world scenarios and edge cases

I’ve worked through the advanced tracks for SQL injection, authentication vulnerabilities, server-side template injection, and deserialization. The hands-on practice has been crucial for developing the pattern recognition skills needed to spot vulnerabilities in unfamiliar codebases.

Rana Khalil’s Training Materials

Rana Khalil’s OSWE preparation materials have been a game-changer. Her systematic approach to breaking down complex vulnerabilities and her detailed walkthroughs helped me:

  • Develop a structured methodology for code review
  • Understand common vulnerability patterns across different languages
  • Learn effective note-taking and documentation strategies
  • Practice exploit development workflows

Her content fills in gaps and provides alternative perspectives on the AWAE material, which has been incredibly helpful for reinforcing concepts.

PentesterLab Secure Code Review Challenges

PentesterLab’s secure code review challenges provided additional practice with real-world applications. These challenges helped me:

  • Sharpen my code analysis skills across multiple languages (PHP, Java, .NET, Python)
  • Practice identifying vulnerabilities without hints or guidance
  • Develop efficient code navigation techniques
  • Build confidence in my ability to find bugs in unfamiliar code

The variety of applications and vulnerability types ensured I wasn’t just memorizing exploit patterns from the AWAE labs, but actually developing transferable skills.

The Road to OSCE³

Earning the OSEP (OffSec Experienced Penetration Tester) was my first major milestone toward the OSCE³. That certification focused on advanced penetration testing, Active Directory attacks, and bypass techniques. It taught me to think like an adversary operating in enterprise environments.

The OSWE represents a different dimension of offensive security - the deep understanding of application security and the ability to find vulnerabilities that automated scanners miss. Together with the OSEP, it demonstrates proficiency in both infrastructure and application-layer attacks.

If I pass the OSWE this Friday, I’ll have two-thirds of the OSCE³ certification complete. The final piece will be the OSED (OffSec Exploit Developer), focusing on exploit development and reverse engineering.

Exam Day Approach

My strategy for the 48-hour exam is straightforward:

  1. Read all instructions carefully - Understanding the requirements is critical
  2. Methodical enumeration - Map out all functionality before diving into code
  3. Systematic code review - Follow the data, trace user input, look for dangerous functions
  4. Document everything - Screenshots, code snippets, and detailed notes for the report
  5. Take breaks - 48 hours is a marathon, not a sprint
  6. Stay calm - Trust the preparation and the methodology

Final Thoughts

The OSWE isn’t just about passing an exam - it’s about developing skills that directly translate to real-world security assessment work. The ability to read source code and identify security flaws is invaluable whether you’re doing penetration testing, bug bounty hunting, or secure code review engagements.

I’ll be posting a follow-up after the exam with my experience and lessons learned (without violating the exam confidentiality, of course). Whether I pass or fail, the journey has already made me a better security professional.

Wish me luck for Friday!

Follow My Certification Journey:

If you want to follow my progress toward OSCE³ and other security certifications, connect with me on:

Got questions about OSWE prep or the OSCE³ path? Feel free to reach out!