To pass the OffSec Web Expert (OSWE) exam, you must submit a professional, technical report that documents your end-to-end exploit chains for the assigned target applications. The report is as critical as the practical exploitation; failing to meet the OffSec Reporting Requirements can lead to an automatic fail regardless of your points. Core Report Requirements
After your 47-hour and 45-minute practical exam ends, you have 24 hours to upload your final report as a PDF.
WEB-300: Advanced Web Attacks and Exploitation OSWE Exam Guide
The OSWE (OffSec Web Expert) exam report is the final, critical step in earning your certification. After a grueling 47-hour and 45-minute practical exam, you have an additional 24 hours to document your findings. This report isn't just a summary; it is a professional proof-of-concept (PoC) document that demonstrates your ability to identify, exploit, and automate web vulnerabilities. Report Requirements and Structure
To pass, your report must be detailed enough for a technically competent reader to replicate your results. According to the OSWE Exam Guide, the report should follow a structured format:
Executive Summary: A high-level overview of the assessment's goals and your overall findings.
Methodology: A brief explanation of the steps taken during the exam.
Detailed Technical Findings: For each machine, you must include:
Vulnerability Description: The type of flaw found (e.g., Auth Bypass, RCE).
Step-by-Step Exploitation: Clear instructions with screenshots showing the vulnerability being triggered. oswe exam report work
Full Exploit Code: A working Python script that automates the entire attack chain from start to finish.
Recommendations: Remediation steps to fix the identified vulnerabilities. Critical "Do's and Don'ts"
Based on reviews from OffSec and experienced students, keep these tips in mind:
Document as You Go: Do not wait until the 24-hour reporting window to start writing. Take screenshots of every successful step and save your code snippets during the exam itself.
Verify Your Scripts: The automation script is the backbone of the OSWE. Ensure it runs independently and produces the expected output (typically a reverse shell or specific flag).
Formatting Matters: Use the official OffSec Report Template to ensure you don't miss any mandatory sections.
Include Evidence: Every claim of a vulnerability must be backed by a screenshot showing the proof of concept (e.g., the output of whoami or the content of a local flag file). Submission Process
Once finished, you must convert your report into a PDF and archive it in a .7z or .zip file with your OS-ID. You then upload it via the control panel provided in your exam instructions. Missing the deadline by even a few minutes results in an automatic failure. If you are currently preparing, I can help you with:
Scripting advice for common OSWE attack chains (like Auth Bypass to RCE). To pass the OffSec Web Expert (OSWE) exam,
Explaining specific vulnerabilities found in the AWAE syllabus. Time management strategies for the 48-hour window.
The OffSec Web Expert (OSWE) exam report is a critical technical document that must be submitted within 24 hours after the 47-hour-45-minute practical exam. It serves as formal proof of your technical findings and is graded on both correctness and completeness; failing to provide sufficient documentation can result in zero points for a finding, even if you successfully exploited the target. Key Reporting Requirements
Target Replication: Documentation must be detailed enough for a technically competent reader to replicate your attacks step-by-step.
Flag Verification: You must include screenshots showing the contents of local.txt and proof.txt on the target machines to receive credit.
Exploit Automation: The report must contain the full source code for a single, non-interactive script that automates the entire exploit chain for each target.
Submission Format: Reports must be submitted as a PDF archived within a .7z file. Recommended Report Structure
OffSec provides official templates in Word and OpenOffice formats to ensure candidates include all mandatory sections:
Methodology Walkthrough: A high-level overview of your discovery and exploitation process.
Vulnerability Breakdown: For each target, detail the research performed, the specific code analyzed, and how the vulnerability was identified. Step 1 – Name the Vulnerability Correctly Don't
Proof of Concept (PoC): The final automated script used to gain access.
Screenshots: Visual evidence of successful exploitation and flag retrieval. Critical Tips from Reviews Advanced Web Attacks and Exploitation OSWE Exam Guide
Don't write "Login bypass." Write: "Authentication Bypass via PHP Type Juggling (CWE-843)." Use the exact OWASP/CWE terminology. Examiners love this.
Create a skeleton document with the following sections pre-filled. This is the core of your OSWE exam report work.
# OSWE Exam Report – [Your OSCP ID]
6. Sample of What a Good OSWE Report Entry Looks Like
## Vulnerability 1: Unauthenticated RCE via eval() in export.php
Code Snippet (/var/www/app/export.php lines 12–16):
$format = $_GET['format'];
eval("$format = json_decode($data);");
</code></pre>
<p><strong>Exploit Request</strong> (raw HTTP):
GET /export.php?format=system('cat%20/etc/passwd') HTTP/1.1
Host: 192.168.1.100</p>
<p><strong>Response</strong> (truncated):
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:...</p>
<p><strong>Proof screenshot</strong> – attached.</p>
<pre><code>
### Final Verdict
- **The OSWE exam report is not an afterthought – it is 50% of the battle.**
- If you can exploit all machines but fail to document **raw requests, code snippets, and reproducible steps**, you will **fail the exam**.
- Conversely, a clean, meticulous report can sometimes **save a borderline exam** where you only partially exploited a target but documented the chain thoroughly.
**Rating for report difficulty:** ⭐⭐⭐⭐☆ (4/5) – not hard in concept, but brutal in precision requirements.
**Advice:** Practice writing 2–3 mock reports from the OSWE lab machines before the exam. Use the official template. Treat the report as part of the exploit development process, not a separate chore.
</code></pre>
Developing your OffSec Web Expert (OSWE) exam report requires a structured, professional-grade document that explains your technical discovery and exploitation process in detail. You must submit this report in PDF format after your 48-hour exam window concludes. Core Requirements
To pass, your report must be detailed enough that a technically competent reader can replicate your attacks step-by-step. Methodology Walkthrough
: A narrative description of how you identified vulnerabilities through source code analysis. Detailed Findings : Each vulnerability must include: Vulnerable Code Snippets
: Screenshots of the specific functions or lines responsible for the flaw. Technical Explanation : Why the code is vulnerable and how it can be exploited. Full Exploit Code
: Your final, fully automated exploit script included as plain text within the PDF. Proof of Compromise : Screenshots showing flags, along with to confirm the target IP. Document Structure OffSec provides official templates formats. Common practice is to follow this outline: Advanced Web Attacks and Exploitation OSWE Exam Guide
Mistake #2: Missing Source Code References
The error: "I found an SQLi in the search bar."
The fix: "In search.php lines 12-15, the code concatenates $_GET['q'] directly into the query. See Appendix A for the full source dump."