When writing your Offensive Security Web Expert (OSWE) exam report, you must focus on technical clarity, reproducibility, and completeness to avoid point deductions. The report is a white-box penetration test analysis that proves you have the technical knowledge required for the certification.
Every vulnerability must be documented chronologically from initial discovery to final execution.
Use the official OffSec template. Populate the technical sections first while the memory of the exam is fresh. Save the Executive Summary for last, as it is easier to summarize findings once the technical details are mapped out. Step 5: Review and Compile
: Provide screenshots of the specific lines of source code.
The most common reason for failure on the OSWE exam is not an inability to hack the box, but a failure in . The OSWE is unique because it requires chaining multiple vulnerabilities (e.g., a file read leading to a credential leak, leading to an admin panel, leading to a template injection). The report must explicitly map how each step connects to the next. If the grader cannot follow the logical chain because a screenshot is missing or a command is truncated, the chain breaks, and the flag is considered unproven. Furthermore, the report must include the actual contents of the final proof flag file (e.g., OSWE... ) captured via a shell command. A screenshot of a browser window with the flag is often rejected because it could be forged; a terminal listing the file using cat or type is the gold standard. oswe exam report
: Document every step, command, and console output. A technically competent reader should be able to replicate your attack exactly.
// Vulnerable Code Snippet $query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
A typical OSWE report follows a clear and logical structure to present your findings professionally. Below is a complete template based on OffSec's guidance and community best practices, which you can adapt for your own report.
Many highly skilled penetration testers fail the OSWE not because they lacked the technical skills to exploit the target applications, but because they submitted an incomplete or disorganized report. When writing your Offensive Security Web Expert (OSWE)
This is the meat of the report. Break it down by machine/assignment. Discovery: How you found the bug in the source code.
#!/usr/bin/env python3 import requests import sys
Script runs, no output, but it works. Fix: Print [+] Webshell uploaded to /uploads/shell.php and [+] Triggering RCE... .
Don't wait until the 48 hours are over to take screenshots. Capture them during the exam while the environment is still live. Use the official OffSec template
The absolute requirement for a passing OSWE report is . A grader should be able to take a "clean" instance of the exam machines, follow your report step-by-step, and achieve the exact same result. Key elements to include:
A professional title page includes the report title (e.g., "Offensive Security Web Expert Exam Report"), your OSID (not your real name to protect anonymity), email, and the date.
The OSWE exam report is just as critical as your ability to find vulnerabilities in source code. By treating the report as a core component of your preparation rather than an afterthought, you ensure that your technical victories during the 48-hour testing window are successfully converted into a passing grade. Stay organized, take meticulous notes, automate cleanly, and document defensively.