Skip to main content

OSWA - A little web cert (2026)

· 8 min read
potions3ller
Offensive Security Specialist

Image

Hello reader, it has been a while hasn’t it. That wasn’t what I promised when I launched this website but as many budding bloggers that start out excited, keen and promising, almost as many fail to make a second post. So here we are, the second post.

The last six months have been extremely interesting, much has been happening with my career below the surface. A very successful secondment introduced me to many amazing people who have invested significant time and resources into my development and as a way to pay them back I have continued the study grind.

I was fortunate enough to be lent an enterprise license for OffSec which means I have the opportunity to start working on some extremely fun courses and hopefully get some new certifications to add to my office wall. Starting this off was OSWA (OffSec Web Assessor). This was a bit of a strange one, but before I dive into that I will provide some background.

Towards the end of last year I found the contact details of the fella who manages the OffSec enterprise licenses at my company - this might sound ridiculous but when you work for an organisation the size of a small nation it makes more sense - and tried my luck at requesting one. He rightly explained that I do not work for, with or anywhere near him and so it would not be in his budgetary interest to provide me a $6,299 annual enterprise license. Fair enough.

God loves a trier though.

Having now been introduced I bore that in mind as I started my secondment almost half a year later. This time, I was far closer to his remit and once again had a punt, much to my surprise, he generously lent me access. This was a huge win for me as I had struggled to garner buy in for such a lavish expense from my own team. There was one issue, however. I only had 9 weeks in his sub-organisation, and that meant I needed to pick something I felt I could complete within a reasonable timeframe, or at least get some practical use from the syllabus. So my plan was to go for OSWA Web-200. It was the same level as OSCP but had a shorter time rated course. Honestly, I wanted to tackle OSEP or OSWE but without a clear understanding of how long I had with the license I couldn’t risk squandering the opportunity to grab another cert, free of charge.

So what unfolded next was an extremely busy work schedule and some diligent reading. The course is made up of 16 modules which should take a learner roughly 231 hours to complete. Additionally, there were 11 challenge labs to complete. So naturally, I bought myself an iPad and got reading. The course began by covering a web application enumeration methodology which I thought wasn’t too dissimilar from the OSCP. In fact, that is the story for just about everything in the course… It’s essentially just OSCP-lite.

My honest opinion was that the majority of the topics were outdated. That’s not to say they were not interesting and explanatory but lets be real, how many webapps are shipping without the http-only flag? A lot of the attack chains are just not possible these days, maybe in 2006 you would find SQL injection in login forms but again, I have never seen that, in production, in my entire career.

Okay, so what? Its old but is that a problem? Yes and no. Yes its a problem if you have just paid $2,749 for a learn one subscription, its certainly not worth the money. No its not a problem if you want to learn the basics before moving onto presumably OSWE which is more advanced and likely teaches skills that can be leveraged in the field to this day. It was an early careers course in my opinion and one that could be avoided if you have access to YouTube or HackTheBox. Obviously, for myself, where it didn’t cost me anything and I can still access other courses, it was not an issue.

Where does it stack against OSCP? Well, OSCP was significantly more difficult, it exposes you to many different technologies including but not limited to web, and in general has more breadth. I certainly thought that this course fit within the OSCP curriculum hence the OSCP-lite moniker. Its also worth pointing out that the exams are totally different, OSWA drops you five IPs all of which host a website and your task is to find a way to bypass the authentication and sign in, that is how you obtain the local.txt flag. After that you need to elevate your session to administrator and obtain the proof.txt flag, 10 points for each, 70 points to pass. This took some figuring out because I didn’t read the instructions lol.

Now dear reader, I do not want you to be misled here. The course was well written and covered the how and why for each technique included. It is just targeted at beginners, which I do not think is the same for OSCP despite them both being 200 level courses. I also believe that if you have done the OSCP recently you don’t need to read much of the course to sit the exam, I know this because…

Image

I only completed 35% of the course before I passed the exam. There was a significant amount of overlap. But there is more to this story; shortly after getting access to the license I was invited to the early access of OSAI AI-300 course. Which is very, very interesting. The course that is, not that I got invited. As a result, I just stopped looking at OSWA altogether and set my focus on OSAI as the course was only 60 hours. There was an issue, however, with it being brand new, there were no exam slots and even still to this day no one externally to OffSec has sat the exam. When I realised this, I was stuck with potentially not much time left with the license as my secondment was coming to a close and no certification in my hand.

What I did not realise before this saga was that you cannot just book yourself onto the exam when you have an enterprise license, you are required to request an exam voucher from your account manager. I did this very early on, and then forgot that I had done so because I was so engrossed in the OSAI course. Then in mid June I was sent an email saying that my exam voucher was going to expire in two weeks. SH*T! So I booked onto the exam and had another flick through the course material.

Exam day​

Exam day rolled around, I started at 11am on a Sunday, which was poorly planned as I also had to hit the road with work early doors Monday. So I did not have even 24 hours to get enough flags to pass and write the report let alone the full 48 hours. It took me some time to get my footing on exam day, as I said earlier I hadn’t read the exam instructions properly so I didn’t know the meta for flag capture. I soon figured it out and got underway.

Obviously I can’t go into any detail about the exam but it was an enjoyable challenge. It was easier than OSCP, different but not as taxing or stressful. I got all of the flags I needed by midnight, this time around I made sure to take regular breaks and leave to cook dinner. I stayed up until 3am report writing, slept for 2 or 3 hours, awoke, proofread my report (as much as you can with a couple hours of sleep), made some changes and submitted it before I needed to leave for my work trip.

To OffSec’s credit they sent me my results on the Tuesday which was surprisingly fast. So I am now OSWA certified and I have another lovely coloured certification to stick on my office wall.

All in, its worth doing if you want a bit of a challenge, its low stress, low stakes, and really only worth it if you’re not paying for it. If you have done OSCP its an easy win afterwards.

Written without AI.