{"id":13842330,"url":"https://github.com/M507/AWAE-Preparation","last_synced_at":"2025-07-11T15:30:48.797Z","repository":{"id":115649348,"uuid":"201974931","full_name":"M507/AWAE-Preparation","owner":"M507","description":"This repository will contain all trainings and tutorials I have done/read to prepare for OSWE / AWAE.","archived":false,"fork":false,"pushed_at":"2019-09-02T00:51:30.000Z","size":49,"stargazers_count":235,"open_issues_count":0,"forks_count":68,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-11-21T13:34:28.993Z","etag":null,"topics":["advanced-web-application-pentesting","awae","offensive-security","offsec","oswe","study-guide"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/M507.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-08-12T17:09:36.000Z","updated_at":"2024-11-21T08:35:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"769338d6-918c-42c5-82dc-179cbebf4c98","html_url":"https://github.com/M507/AWAE-Preparation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/M507/AWAE-Preparation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M507%2FAWAE-Preparation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M507%2FAWAE-Preparation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M507%2FAWAE-Preparation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M507%2FAWAE-Preparation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/M507","download_url":"https://codeload.github.com/M507/AWAE-Preparation/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M507%2FAWAE-Preparation/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264840363,"owners_count":23671649,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["advanced-web-application-pentesting","awae","offensive-security","offsec","oswe","study-guide"],"created_at":"2024-08-04T17:01:32.228Z","updated_at":"2025-07-11T15:30:48.510Z","avatar_url":"https://github.com/M507.png","language":null,"funding_links":[],"categories":["Others (1002)","Others","Resources"],"sub_categories":["Training and Certifications"],"readme":"# AWAE-Preparation\nThis repository will contain all trainings and tutorials I have done/read to prepare for OSWE.\n\n### Course Syllabus:\nhttps://www.offensive-security.com/documentation/awae-syllabus.pdf\n\n### Before AWAE:\nI would not recommend taking the course before at least; finishing all SQL and XSS Injection challenges in bWAPP\nhttps://sourceforge.net/projects/bwapp/files/bee-box/ and being able to understand and debug different languages like **C#, Php, Java, and Javascript**.\n\n* #### Cross-Site Scripting:\n   * https://xhr.spec.whatwg.org/\n* #### Session Hijacking \n   * https://popped.io/hijacking-sessions-using-socat/\n   * https://pentesterlab.com/exercises/xss_and_mysql_file/course\n* #### Persistent Cross-Site Scripting\n   * https://www.acunetix.com/blog/articles/persistent-xss/\n   * https://portswigger.net/web-security/cross-site-scripting\n* #### Cross-Site Request Forgery\n   * https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html \n* #### XSS and MySQL\n   * https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/\n\n* #### Bypassing File Upload Restrictions:\n   * https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf\n   * http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html\n   * https://www.owasp.org/index.php/Unrestricted_File_Upload\n   * Popcorn machine from HackTheBox\n   * Vault machine from HackTheBox\n\n* #### PHP Type Juggling:\n   * https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf \n   * https://medium.com/@Q2hpY2tlblB3bnk/php-type-juggling-c34a10630b10 \n   * https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/\n   * https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/\n   * http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html\n   * https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/\n   * https://www.php.net/manual/en/types.comparisons.php\n   * https://github.com/spaze/hashes\n   * https://www.whitehatsec.com/blog/magic-hashes/\n   * Falafel machine from HackTheBox\n\n* #### Deserialization:\n   * https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html\n   * https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf\n   * https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Deserialization_Cheat_Sheet.md\n   * https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Aleksei%20Tiurin_Deserialization%20vulnerabilities.pdf\n   * https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf\n   * https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf\n\n* #### .NET Deserialization:\n   * https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf\n   * https://github.com/pwntester/ysoserial.net\n   * https://github.com/0xd4d/dnSpy\n\n* #### Java Deserialization:\n   * https://www.n00py.io/2017/11/exploiting-blind-java-deserialization-with-burp-and-ysoserial/\n   * https://www.owasp.org/images/7/71/GOD16-Deserialization.pdf\n   * https://github.com/frohoff/ysoserial \n   * https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md\n   * https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/\n\n* #### JavaScript Injection:\n   * https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html\n   * https://capacitorset.github.io/mathjs/\n\n* #### NodeJS:\n   * https://maikthulhu.github.io/2019-05-17-remote-debugging-node-vscode/\n   * https://github.com/ajinabraham/Node.Js-Security-Course\n   * https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/\n   * https://www.yeahhub.com/nodejs-deserialization-attack-detailed-tutorial-2018/\n   * Celestial machine from HackTheBox\n\n* #### SQLi:\n   * https://pentesterlab.com/exercises/from_sqli_to_shell/course\n   * https://www.acunetix.com/websitesecurity/blind-sql-injection/\n* #### PostgreSQL\n   * http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet\n   * http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt\n   * https://www.exploit-db.com/papers/13084\n   * http://www.postgresqltutorial.com/postgresql-string-functions/ \n   * https://www.linuxtopia.org/online_books/database_guides/Practical_PostgreSQL_database/c7547_002.htm\n   * https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf\n   * https://dotcppfile.wordpress.com/2014/07/12/blind-postgresql-sql-injection-tutorial/\n\n* #### Long Readings:\n    * Use of Deserialization in .NET Framework Methods and Classes.\nhttps://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf\n    * https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf\n\n## Before The Exam:\n**The Web Application Hacker's Handbook** is your friend. The negative part of AWAE course is that they did not include enough methodologies for vulnerability discovery, thus, I strongly recommend reading Chapter 21 from **The Web Application Hacker's Handbook** , and be comfortable debugging C#, Java, Php, and Javascript, using Burp Suite, dnSpy, JD-GUI, Visual Studio, and writing custom PoC in at least one language :).\n\n🐦 [@Mohdcsec](http://twitter.com/mohdcsec \"@Mohdcsec\")\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FM507%2FAWAE-Preparation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FM507%2FAWAE-Preparation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FM507%2FAWAE-Preparation/lists"}