- Know how to script and automate at least one programming language (preferably Python). Specifically, interact with web applications such as submitting forms or brute-forcing endpoints, etc. Also, know how to multi-thread.
- Know how MVC (model-view-controller) frameworks work. Maybe spend some time learning how Laravel in PHP or Django in Python works. Build a small web app as a practice if needed. If you are confident, you may skip this for now and learn about it during the course.
- Get familiar with OWASP top 10 vulnerabilities. You should be familiar with SQLi, XSS, LFI, RCE, SSTI, XXE. PortSwigger WebSecurityAcademy is a great place to practice these vulnerabilities. I will link to two more great guides/write-up at the end that will contain links to real world applications for practice. If you want hardcore practice, here’s an unlikely suggestion, solve active web challenges in HackTheBox!
- Know regular expressions. You should be able to match and extract any particular data from a web page using regex.
- Get familiar with BurpSuite. You are only allowed to use the community edition so you should stick to the community edition.
- Unlike OSCP course, the course book and the videos goes hand-to-hand. You should not skip either one or you will miss important details.
- Do all the exercises. Do the extra miles! All the exercises that involves automation, do them! Try to make your scripts modular so you can re-use them in future if needed. I.E, if there is a blind SQL injection, try to make individual functions and SQLi query template strings so you can re-use the code with little modification if you find same vulnerability in a different application. If stuck, take help from the forum, Infosec Prep Discord, Offensive Security Discord Server.
- Create a checklist of all the vulnerabilities that you were taught during the course. Have notes on each vulnerabilities and how to find them. This will greatly help during the exam as you’ll be able to work by process of elimination. As I said earlier, course materials are enough to pass the exam. Take note of logical vulnerabilities and the places where having them will allow you to exploit the application.
- Solve the extra lab machines. You’ll be given multiple extra lab machines with no guide or instructions on how to solve them. There may be multiple ways you can solve a machine, if you have time then try solving in more than one way.
- The remote debugging through RDP won’t be a comforting experience in the exam. Depending on your Internet speed, there maybe severe delay or lag in the output. My suggestion is to use
sshfsto mount target application source code locally and then use VSCODE to open the mounted folder.
- Go through your checklist of vulnerabilities, don’t fall into rabbit holes! Even if something you see may look vulnerable, if you can’t reach the vulnerable portion of code then you cannot exploit it. Try having a scenario in mind for overall exploitation as soon as you confirm a vulnerability.
- If you find a vulnerability but don’t know what to do with it then think about what are additional things you can gain from this vulnerability. Use the debugging machines to your advantage, look into the system, insert custom codes to save logs of something if necessary.
- Take breaks! 48 hours is a long time and you need to keep your head straight throughout this exam. When you take breaks to catch some air, you’ll have new ideas to try. Sleep a little if possible.
- Do not give up till the end! You may think after a period of time that it’s a loosing battle and you should give up but don't! You may think you looked at every place but you didn’t, these applications are purposefully vulnerable so the vulnerability must exist!