This feature validates the core competency of the OSWE certification: . It proves that the candidate is not just running tools (like in OSCP) but is capable of reading source code, understanding logic errors, and writing custom code to exploit them professionally.
If required by the latest exam guidelines, place the PDF and your exploit scripts into a password-protected .7z or .zip archive named precisely according to the OffSec exam instructions.
Screenshots showing the successful execution (e.g., whoami output, reading proof.txt ). 3. Best Practices for OSWE Exam Report Work Clear and Reproducible Steps Do not assume the examiner knows what you did. Bad: "I exploited the SQLi and got a shell." oswe exam report work
Your documentation must be so clear that a junior analyst with no context could copy, paste, and execute your steps to achieve the exact same Remote Code Execution (RCE). Crucial Prerequisites and Technical Requirements
Paste the vulnerable code block. Use clear formatting or bold highlights to isolate the weak functions (e.g., insecure deserialization sinks, vulnerable SQL queries, or unsafe OS command executions). This feature validates the core competency of the
This is the "White Box" heart of the report. For every vulnerability found:
Every critical phase (vulnerability, exploitation, flag extraction) must feature a clear screenshot showing the URL, input, and output. Structural Breakdown of an OSWE Exam Report Screenshots showing the successful execution (e
Do not wait until the exam starts to choose your documentation stack. Select and test your reporting toolchain during your Advanced Web Attacks and Exploitation (AWAE) lab time. 1. Markdown Engines (Eisvogel / Pandoc)
Since the OSWE is a white-box exam, you must document the why and where within the source code.
Failing the OSWE exam because of a preventable reporting mistake is a painful experience. To make sure you are not one of the candidates caught by these pitfalls, here are the most common report failure reasons and a checklist to avoid them.
4. The response returns the passwd file, confirming LFI. 5. Using the LFI, chain to log poisoning via `/var/log/apache2/access.log`.