Jul 2018 Offensive Security announced online exam proctoring. Since then all of the Offensive Security certifications exams are being monitored to prevent cheating. When I was giving exam Offensive Security Web Expert (OSWE), I thought about checking for a design flaw in the proctor session. I found out that when you click on “END EXAM” it only ends the proctor session but not the VPN session, so you could still access the environment without proctoring session. This might look a simple flaw, but it could hurt the integrity part of CIA triad (Confidentiality, integrity and availability). All the resources that Offensive Security spends on proctoring session is useless and it compromises the prestige and value of the certs.
Note: This vulnerability was reported four months ago to Offensive Security but they seems to not care about fixing this.
Update: Offensive Security has fixed this design flaw vulnerability.
Description:
This is a design flaw in the proctor session. The flaw exists in the “END EXAM” functionality
Expected Behavior:
The “END EXAM” functionality should end the VPN session of the user
Current Behavior:
The “END EXAM” functionality is just ending the user’s proctor session but not the VPN session. The user can still access the provided machines without proctor session.
If the user ends the webcam session, the user can still access the VPN, which means the session never ended
PoC:
1- Click on END EXAM
2- After ending the exam, the system will log you out
After ending the exam, I tried to log in multiple times, but it was giving an error Invalid OSID/MD5 Value
So I tried to check my VPN connection to make sure if I can still access the provided machines. What I did was disconnected my VPN, reconnect, and then try to access the machines, and I was successfully able to connect the provided machines (After ending my exam).
I finished the exam after 12 hours, and I was able to access the machines for the next 36 hours, I only lost the access after the 48 hours exam time limit.