Not logged in
Use clear architectural explanations to show the flow of data from your payload to the vulnerable backend logic. Step-by-Step Reproduction
- [ ] Every required target has a **dedicated section**. - [ ] Each vulnerability includes **source code snippet** + **line number**. - [ ] A **working exploit script** is provided (Python/Go/curl one-liner with explanation). - [ ] Screenshots include **terminal commands** and **output** (no cropping of critical data). - [ ] No manual steps like “then I clicked the admin panel” without an automated equivalent. - [ ] All `proof.txt` values are **plain text** and match the target’s format. - [ ] The report is **exported as PDF** and submitted before the 24h deadline. - [ ] No “draft” language, apologies, or missing sections.
Ensure there are no placeholder comments left behind (e.g., # TODO: fix this later ).
The OSWE exam report is the final gatekeeper to your certification. By focusing on , step-by-step reproducibility , and clean automation , you demonstrate that you aren't just a "script kiddie," but a professional web security expert.
This is the core of the report. For each target, you must provide a of your attack path, including screenshots of each stage, all commands entered, source code for every custom exploit, and the captured local.txt and proof.txt files. The grader should be able to rebuild your entire attack chain without guesswork. oswe exam report
The OSWE exam report is not a mere formality; it is the primary artifact that demonstrates your technical competence. OffSec graders use the report to evaluate your methodology and ensure your findings are correct and replicable.
: A detailed outline of your discovery process.
: The moment you successfully execute a payload or read a flag, take a screenshot. Crop it immediately so the IP address and command outputs are highly visible.
# Example of a clean, documented snippet within a report import requests import sys def get_csrf_token(target_url): """Extracts the anti-CSRF token from the login page.""" session = requests.Session() response = session.get(f"target_url/login") # Parsing logic here... return token, session Use code with caution. Common Pitfalls That Will Fail You Use clear architectural explanations to show the flow
: Download the file after uploading it to the OffSec portal to verify that the archive is not corrupted and contains all necessary files.
Response includes admin session cookie.
The corresponding HTTP response showing the impact (e.g., error messages, reflected data).
Step 2: How you pivoted that access into a file write, command injection, or RCE. - [ ] A **working exploit script** is
OSWE requires web application exploitation through automation.
: Use the format OSWE-OS-XXXXX-Exam-Report.pdf (replacing XXXXX with your OSID).
For more information, the exam guide provides official, detailed requirements. If you'd like, I can: Share the exact 24-hour reporting deadline structure
