Le PAD pour améliorer cette page : https://pad.zenk-security.com/p/merci
OSWE Certification Exam Guide https://support.offensive-security.com/oswe-exam-guide/
Tips from offsec about OSWE : https://twitter.com/offsectraining/status/1177221658622464000?s=19
Reviews
review http://essentialexploit.com/AWAE.html
review https://theevilbit.blogspot.com/2016/09/offensive-security-advanced-web-attacks.html
Video review https://m.youtube.com/watch?v=AqNBtINEChw
review and tips https://www.vesiluoma.com/offensive-security-web-expert-oswe-advanced-web-attacks-and-exploitation/
OSWE Preperation
AWAE-Preparation - This post contains all trainings and tutorials that could be useful for offensive security’s OSWE certification. I will be updating the post during my lab and preparation for the exam. https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/
This repository will serve as the “master” repo containing all trainings and tutorials done in preperation for OSWE https://github.com/ramihub/AWAE-PREP
my learning case to prepare OSWE exam https://github.com/sailay1996/offsec_WE
Preparation for coming AWAE Training. https://github.com/w4fz5uck5/OSWE
This repository will contain all trainings and tutorials I have done/read to prepare for OSWE / AWAE. https://github.com/M507/AWAE-Preparation
Video OSWE Preperation https://www.youtube.com/playlist?list=PLwvifWoWyqwqkmJ3ieTG6uXUSuid95L33
Video DAY[0] Episode #11 - Offsec's OSWE/AWAE, Massive Security failures, and a handful of cool attacks https://www.youtube.com/watch?v=2-kJ7Kh_5C4
Video OSWE Preperation https://www.youtube.com/watch?v=Xfbu-pQ1tIc&list=PLwvifWoWyqwqkmJ3ieTG6uXUSuid95L33
Video Web Hacking MasterClass™ - Pre OSWE Course | Sagar Bansal https://www.youtube.com/watch?v=bo3bisXP2iM
Video OSWE prep https://www.youtube.com/watch?v=t-zVC-CxYjw&list=PLL5n_4gj5JCw1aRrlVbdMCAugNz-ia3Wh
OSWE PREP https://github.com/rinku191/OSWE-prepration/wiki/PHP-Dangerous-function
Preparation for coming AWAE Training. Work in progress… https://github.com/timip/OSWE
Preparation for coming AWAE Training. Work in progress… https://github.com/ManhNho/AWAE-OSWE
This repository will serve as the “master” repo containing all trainings and tutorials done in preperation for OSWE in conjunction with the AWAE course. This repo will likely contain custom code by me and various courses. https://github.com/wetw0rk/AWAE-PREP
AWAE/OSWE PREP https://medium.com/@mucomplex/oswe-awae-exam-experience-and-tips-fbd55bbdffb8
AWAE/OSWE PREP (Code analysis to gaining rce and automating everything with Python) https://sarthaksaini.com/2019/awae/xss-rce.html
From AWAE to OSWE: The Preperation Guide https://hansesecure.de/2019/08/from-awae-to-oswe-the-preperation-guide/?lang=en
Deep Dive into .NET ViewState deserialization and its exploitation https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817
Atmail Mail Server Appliance: from XSS to RCE (6.4) CVE-2012-2593
https://www.exploit-db.com/exploits/20009
https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py
Atmail Webmail ⇒ 7.5 - Multiple Vulnerabilities https://cxsecurity.com/issue/WLB-2015020027
http://progdave.wikidot.com/basic-xss-attack
http://progdave.wikidot.com/basic-csrf-attack
ATutor Authentication Bypass and RCE (2.2.1) CVE-2016-2555
Install: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
https://www.exploit-db.com/exploits/39514
https://srcincite.io/advisories/src-2016-0009/
https://www.exploit-db.com/exploits/39639
https://github.com/atutor/ATutor/commit/d74f1177cfa92ed8e49aa65f724f308b4a3ac5b9
ATutor LMS Type Juggling Vulnerability (⇐2.2.1) CVE-?
Install: https://sourceforge.net/projects/atutor/files/atutor_2_2_1/
https://srcincite.io/advisories/src-2016-0012/
https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py
https://github.com/atutor/ATutor/commit/2eed42a74454355eddc7fc119e67af40dba1a94c
Reference: PHP Type Juggling
https://www.youtube.com/watch?v=ASYuK01H3Po
https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/
ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE CVE-? Install:
http://archives.manageengine.com/applications_manager/12900
https://manageenginesales.co.uk/2018/05/manageengine-applications-manager-build-13730-released/
https://www.postgresql.org/docs/9.4/functions-binarystring.html
https://www.mulesoft.com/tcat/tomcat-jsp
Extra: Deserialization Vulnerability
https://www.geeksforgeeks.org/serialization-in-java/
https://github.com/frohoff/ysoserial
https://blog.jamesotten.com/post/applications-manager-rce/
https://www.youtube.com/watch?v=HaW15aMzBUM
https://www.youtube.com/watch?v=fHZKSCMWqF4
Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability (1.5.1) CVE-2014-7205 Install:
npm install bassmaster@1.5.1
https://www.npmjs.com/package/bassmaster
https://www.rapid7.com/db/modules/exploit/multi/http/bassmaster_js_injection
https://www.exploit-db.com/exploits/40689
https://vulners.com/nodejs/NODEJS:337
DotNetNuke Cookie Deserialization RCE (<9.1.1) CVE-2017-9822 Install:
https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v9.1.0
https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf
https://gist.github.com/pwntester/72f76441901c91b25ee7922df5a8a9e4
https://www.youtube.com/watch?v=oUAeWhW5b8c
https://vulners.com/seebug/SSV:96326
https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization
https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf