A. Source Code Snippet
Since OSWE is white-box, you must copy-paste the exact vulnerable lines of code. Use monospaced formatting and highlight the insecure line (e.g., eval($_GET['cmd'])).
B. The Code Trace
Explain step-by-step how user input flows from the entry point (e.g., a $_POST['file'] parameter) to a sink function (e.g., include() or system()). OSWE examiners look for this “taint flow” analysis.
Example:
Line 12:
$template = $_GET['theme'];– User input unsanitized. Line 45:include($template . '.php');– Leading to Local File Inclusion (LFI).
C. The Exploit Script You must provide a working Python or Ruby exploit script. The examiner will run this script against their pristine exam environment. If it fails, you fail. Ensure the script is self-contained (no hardcoded absolute paths unless necessary) and includes comments. oswe exam report
D. Proof Screenshots
The OSWE exam report is not an afterthought; it is the final exploit in your chain. You can own both machines in 12 hours, but if you spend 10 minutes on the report, you will fail. Conversely, a meticulous report can sometimes earn you partial credit if the examiner can see you understood the vulnerability chain even if the final flag was elusive.
Treat the report as a separate, 24-hour exam. Sleep, hydrate, then review every line of code you pasted, every command you typed, and every screenshot you took. The difference between an OSWE and a “failed attempt” is often just 5 hours of careful documentation.
Good luck—and may your code traces be clear and your exploits be idempotent. Line 12: $template = $_GET['theme']; – User input
About the Author: [Your Name] is a application security engineer and holder of the OSWE certification. They failed their first OSWE attempt due to a poor report and passed the second with a 100% reproducible document.
When writing your Offensive Security Web Expert (OSWE) exam report, you must focus on technical clarity, reproducibility, and completeness to avoid point deductions. The report is a white-box penetration test analysis that proves you have the technical knowledge required for the certification. Core Report Structure
A professional OSWE report typically includes the following sections: Quiz: OSWE Exam Report - Pen200 - IT 2021 | Studocu
Offensive Security will never release their exact rubric, but after analyzing hundreds of failed exam posts, the criteria are clear. mangled PDF formatting
| Category | Weight | Fail Condition | | :--- | :--- | :--- | | Exploitability | 40% | PoC script fails on a clean install. | | Source Code Accuracy | 25% | Line numbers are off by more than 5 lines, or the wrong file is cited. | | Reproduction Steps | 20% | A human cannot follow steps to replicate without guessing. | | Remediation | 10% | Remediation is generic ("use parameterized queries") without a code example. | | Professionalism | 5% | Spelling errors, mangled PDF formatting, missing page numbers. |
If you get a 100% on the hack but a 60% on the report, your overall score is ~80%, which is often a fail.
Do not write the report as if you discovered the vulnerability via fuzzing. Say: “While reviewing routes.php, the application fails to validate the ‘action’ parameter before passing it to call_user_func_array().”