OSWE — Advanced Web Attacks & Exploitation (WEB-300)

Section 01

01. At a Glance

About the course

OSWE is the elite web-application credential. You read source code (PHP, Java, Node.js, .NET) to find authentication bypasses, deserialization, type juggling — then chain them into RCEs. Macksofy's bootcamp covers OSWE-specific labs plus modern web research.

Section 02

02. Who Is This Course For

• Senior web pen-testers
• Bug bounty hunters
• Application security engineers

Prerequisites

• Strong web fundamentals
• Read PHP / Java / Node.js source code

Section 03

03. What You Will Be Able To Do

• Read source code to find auth bypass, deserialization, RCE
• Chain logic vulnerabilities for full system compromise
• Pass the 48-hour OSWE exam

Section 04

04. Curriculum — 14 Modules

Module structure and topic coverage authored by Macksofy Technologies based on the publicly-published vendor syllabus, current as of the issue date of this brochure. Vendor reserves the right to revise content; Macksofy keeps cohort material aligned to the latest release.

1. Module 01

   Module 01 · Tools & Methodologies

   4 topics
   • White-box source-review workflow
   • Burp Suite Pro mastery
   • Custom Burp extensions (Python via Jython, Java BApps)
   • Note-taking & diffing patterns
2. Module 02

   Module 02 · ATutor Authentication Bypass and RCE

   4 topics
   • PHP source review
   • Logic-flaw discovery
   • Chained authentication bypass
   • Path to file-write RCE
3. Module 03

   Module 03 · ATutor LMS Type Juggling Vulnerability

   3 topics
   • PHP loose comparison weaknesses
   • Magic hash exploitation
   • Fixed-point hash collisions
4. Module 04

   Module 04 · ManageEngine SQL Injection (AMUserResourcesSyncServlet)

   3 topics
   • Java source-code review
   • Blind boolean SQLi at scale
   • Out-of-band exfiltration
5. Module 05

   Module 05 · Bassmaster NodeJS Arbitrary JS Injection

   3 topics
   • JavaScript source review
   • eval / Function() abuse
   • Async exploit chains
6. Module 06

   Module 06 · DotNetNuke Cookie Deserialization RCE

   3 topics
   • .NET BinaryFormatter risks
   • ysoserial.net gadget chains
   • Cookie / session payload delivery
7. Module 07

   Module 07 · ERPNext Authentication Bypass and SSTI

   3 topics
   • Python / Frappe source review
   • Authentication-logic flaw chaining
   • Server-Side Template Injection (Jinja2)
8. Module 08

   Module 08 · openCRX Authentication Bypass and RCE

   3 topics
   • Java enterprise app review
   • Privilege confusion exploitation
   • Reaching RCE via post-auth functionality
9. Module 09

   Module 09 · openITCOCKPIT XSS and OS Command Injection (black-box)

   3 topics
   • Black-box approach to OS command injection
   • Stored XSS chaining
   • Combining web flaws into RCE
10. Module 10

    Module 10 · Concord Authentication Bypass to RCE

    3 topics
    • Spring / Java application review
    • Authentication-logic exploitation
    • Reaching shell via misconfigured serialization
11. Module 11

    Module 11 · Server-Side Request Forgery (SSRF)

    3 topics
    • URL parser confusion
    • Cloud-metadata SSRF (AWS/Azure)
    • Blind SSRF detection patterns
12. Module 12

    Module 12 · Guacamole Lite Prototype Pollution

    3 topics
    • Node.js prototype pollution discovery
    • Property-pollution → RCE pivot
    • Hardening recommendations
13. Module 13

    Module 13 · Conclusion & Exam Preparation

    3 topics
    • 48-hour exam strategy
    • Note discipline & report deliverable
    • Common pitfalls & how to recover
14. Module 14

    Macksofy bootcamp · Modern web extensions

    4 topics
    • GraphQL deep introspection attacks
    • Web-cache deception & poisoning
    • HTTP request smuggling
    • OAuth 2.0 / OIDC flow attacks

Section 05

05. Tools You Will Operate

Section 06

06. Career Outcomes

Section 07

07. Placement Support

Macksofy's placement desk works directly with 80+ hiring partners across India and the UAE. Resume coaching, mock interviews and direct intros included.

• 1:1 resume + LinkedIn rewrite with our hiring desk
• Mock interviews with active practitioners
• Direct intros to BFSI, fintech and Big-4 partners
• UAE placement support (Dubai, Abu Dhabi)

Section 08

08. Why Macksofy

• Vendor-true delivery — Macksofy is a hands-on cybersecurity training provider delivering practitioner-led bootcamps with exam-prep support.
• Practitioner-led delivery — every Macksofy instructor is a working OSCP / OSWE / OSEP / CISA-certified consultant on real client engagements during the week.
• Mentor support until you pass — extended access to mentor office hours and exam-day prep at no additional cost.
• Placement desk — Macksofy works with 80+ hiring partners across India and the UAE; your post-course resume, portfolio review and mock interviews are included.
• Indian classroom + online cohorts — onsite delivery in Mumbai BKC and Hyderabad HITEC City; live virtual cohorts pan-India with recordings.

Section 09

09. How to Enrol

1. Submit the enquiry form at macksofy.com/contact or call +91 99308 24239.
2. A Macksofy advisor will respond within 4 business hours with the next batch dates, payment terms and invoice.
3. Confirm enrolment via NEFT / RTGS / corporate card. EMI options available for select courses.
4. Receive welcome kit, lab credentials and the cohort calendar within 24 hours of confirmation.