I have noticed a lack of reasonable tips for OSWE so I would like to share 5 from my personal experience on how to better prepare for the course and most importantly the exam.
I got the results for completing OSWE exam on 7th of February 2020 and it was one of the hardest things i have done. Nonetheless I completed the exam within 23 of 48 hours. This is with sleep of 7 hours + 10 minute breaks every hour. Now this is not to state that I am some expert, but to show that the time is enough for you to stay healthy. Staying healthy is not actually a tip for this exam, but for life in general. Eating healthy food, taking breaks plus getting proper sleep time, exercising, removing all the unnecessary distractions will get you further in the long run.
1. The course materials are not enough
Now this is not to take anything away from the course materials I think they are great, but you need to do extra work in order to succeed. If you go through the course point to point and don’t struggle too much on extra miles, it will be quite a breeze to get through the course materials. Now this is considered you already have some experience in reading code and developing proof of concept scripts.
An important note here is that you should highly value the course materials and base your extra research on the things presented. For example don’t start learning some other programming language that’s not asked from you in order to complete the exam, you can easily do that after.
You might ask, well what do I do to prepare outside of course materials? Below I linked a really great github repository with some materials and a Google search will throw even more results. I would also highly recommend to find an application with a high severity vulnerability in one of the presented languages (go with C# or Java first), download the unpatched version and have a go at it. Do the full cycle, get to know the application, find the vulnerability, write a working exploit (the exploit needs to be run and pwn).
2. Learn your exploit development language well
I would recommend using Python as your exploit development language, but if you feel really comfortable in any other language, feel free to use that. Ensure that you go through courses to learn that language. For Python make sure that you feel really comfortable with requests library, since this is a “web” certification after all.
3. Technology first, vulnerabilities second
Learning the technology first is important, because you will not get little snippets of vulnerable code, you will get the full application, which could include massive amounts of code so you need to understand at which parts handle authentication, authorization, input validation etc. to actually manage to find any vulnerabilities in each of the programming languages. Get comfortable with reading large amounts of code, but don’t forget that you also have the User Interface available.
I can’t stress enough how important this is. Take your time during the exam of getting to know the application the user interface as well as the code base, there is enough of time for that. Focus on the parts you are asked to, look for oddities that just seem strange and out of place and verify them in code.
4. Have a plan
This goes hand in hand with point number three. You need to have a good plan to succeed.
Now I can’t really share my plan, because it might contain some information that could get leaked from the exam, but it was nothing impressive, like 30-50 lines at most. It contained the general approach (stated in the course materials) plus for each of the programming language best ways to work with the code and their common vulnerabilities with snippets on how they look. Keep in mind that you most likely won’t be able to do a search to find the vulnerability directly or you might find something which could lead you down a massive rabbit hole.
5. Try harder
This is quite an obvious slogan for Offensive Security but in order to succeed in this exam you will really need to get your hands dirty. I actually made a massive mistake on one of the exam tasks, which led me down a huge rabbit hole and I lost hours of time there just because of the sheer amount of code presented to me and by no doubt, this can happen to you, there are no easy pickings in this exam. Keep focused, don’t be afraid to take a step back, eat healthy food, take regular breaks and try harder!