Report | Oswe Exam

The OSWE report is a code‑grounded exploit narrative. You are not just a pentester – you are a security researcher proving that reading the source code leads to a reliable, chainable attack. Focus on clarity, reproducibility, and precise code references. A well‑written report can save you even if your exploit is slightly unstable – the examiner must understand your reasoning.

Good luck with your OSWE exam!

The Offensive Security Web Expert (OSWE) exam report is a professional penetration testing document that serves as the final deliverable for the WEB-300 certification. It must detail every step taken to identify and exploit vulnerabilities during the 48-hour exam period. Core Report Requirements

OffSec enforces strict documentation standards. Failing to provide a sufficiently detailed report can result in zero points, even if you successfully compromised all targets.

Reproducibility: A technically competent reader must be able to replicate your attacks step-by-step using only your report.

Proof of Success: You must include screenshots of local.txt and proof.txt flags, including the command used to display them and the machine's IP address.

Automation: For each target, you must provide a single, non-interactive exploit script (typically in Python) that automates the entire attack chain from start to finish.

Submission Format: The report must be submitted as a PDF archived within a .7z file. Essential Report Structure

Using the official OffSec OSWE Exam Template is highly recommended to ensure no critical sections are missed. OSWE Exam FAQ - OffSec Support Portal

OffSec Web Expert (OSWE) exam requires a formal, professional report detailing the exploitation of two web applications within a 47 hour and 45 minute practical exam. Following the lab, you have to submit your documentation.

The report is a critical component of the certification; even if you achieve the required points, an incomplete or poorly formatted report can lead to failure. OSWE Exam Report Requirements OffSec requirements , your report must be submitted as a archived into a file using the naming convention OSWE-OS-XXXXX-Exam-Report.7z Core Document Structure An acceptable report generally follows the Official OSWE Template , which includes the following sections: Advanced Web Attacks and Exploitation OSWE Exam Guide oswe exam report

The OSWE (Offensive Security Web Expert) exam report is a critical component of the certification process. Unlike the OSCP, where the exam is purely practical, the OSWE requires you to submit a professional penetration test report documenting your findings and, crucially, the working exploit code.

Below is a comprehensive guide and structural template to help you produce a high-quality OSWE exam report.

Affected file & line
/modules/user/viewUser.php – line 42

Code snippet

$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = " . $id;

Description
No input sanitisation. $id concatenated directly into query.

Proof of Concept
Request:

GET /viewUser.php?id=1 UNION SELECT password FROM admins

Response showing admin hash.

Impact
Database disclosure, authentication bypass, potential RCE if combined with file write.

Repeat for each distinct vulnerability (e.g., File Upload Bypass, Command Injection, Auth Bypass).

  • Proof of Concept (PoC) / Exploitation Steps:
  • Screenshots: Include clear screenshots of the vulnerability being triggered (e.g., a reverse shell connection, an id command output, or a successful login bypass).

    • For complex vulnerabilities (e.g., SSTI leading to RCE), draw a simple ASCII or text-based flow: The OSWE report is a code‑grounded exploit narrative

    HTTP Request → index.php (router) → Controller/userController.php (line 40) 
→ calls render() in Template.php (line 88) → uses eval() on user input.

    This shows the grader you understand the application architecture, not just the one vulnerable line.

    The OSWE exam is a brutal test of your ability to read code like a security engineer and break it like an attacker. But the report is where you prove that you understand what you broke.

    Do not treat the report as a chore. Treat it as the final exploit. Your audience (the grader) is the target. Your goal is to make their job so easy, so frictionless, that they have no choice but to click PASS.

    Remember: A mediocre hacker with an excellent report will pass. An excellent hacker with a mediocre report will fail. Write like your certification depends on it – because it does.

    Good luck, and happy white-boxing.

    OffSec Web Expert (OSWE) exam requires a professional-grade penetration test report submitted within 24 hours of completing the 48-hour practical exam. This report is the final deliverable and is graded on both technical correctness and the fullness of documentation. FlashGenius Core Reporting Requirements

    OffSec enforces strict documentation standards; failure to meet them can result in a failing mark even if all flags were obtained. Detailed Methodology

    : You must provide a walkthrough of every step taken during the exploitation process. Vulnerability Identification : For each finding, explain exactly why the code is vulnerable (root cause analysis). Reproducibility

    : Documentation must be clear enough for a technically competent reader to replicate the attacks step-by-step. Full Exploitation Chain

    : The report must document how you chained multiple logic flaws to achieve the final objective. Mandatory Report Sections Based on the official OSWE Exam Report Template , your document should include: High-Level Summary : An overview of the assessment and total points earned. Target Information : Flag contents for for each machine. Vulnerability Analysis Method and Code : Identify the specific vulnerable source code. Screenshots Affected file & line /modules/user/viewUser

    : Visual proof of every major step in the exploitation process. Custom Exploit Code

    : You must include the source code for your fully automated, non-interactive exploit scripts. Remediation

    : Recommended fixes for each vulnerability, such as using parameterized queries or input sanitization. Critical Grading Criteria Automation

    : You must provide a single script that executes the entire exploit chain (e.g., Auth Bypass to RCE) with zero user interaction. Points Threshold : You need a minimum of to pass. Points are typically awarded as follows: for each successful Authentication Bypass. for each successful Remote Code Execution (RCE).

    : Once submitted, the report is final. You cannot add missing screenshots or code after the deadline.

    The Offensive Security Web Expert (OSWE) exam report is the formal documentation of your 48-hour practical web application security assessment. It is the final deliverable required by OffSec to prove you have identified, chained, and automated exploits for the target vulnerabilities. Core Report Requirements

    You have 24 hours after your 48-hour exam window ends to submit your documentation. Format: The report must be a PDF file.

    Archiving: You must compress the PDF into a .7z archive (without a password).

    Naming Convention: Use the format OSWE-OS-XXXXX-Exam-Report.pdf (replacing XXXXX with your OSID).

    Submission: Upload the archive to the OffSec Exam Control Panel. Essential Report Sections

    The report must be professional and thorough enough for a technically competent reader to replicate your attacks step-by-step. Advanced Web Attacks and Exploitation OSWE Exam Guide

    Here’s a structured, professional review of the OSWE (Offensive Security Web Expert) exam report, including what a proper report should contain, common pitfalls, and how to evaluate your own or someone else’s submission.