| ✅ Do | ❌ Don’t | |-------|----------| | Include code line numbers | Write “I tried many things” | | Show raw HTTP requests | Paste huge log files | | Explain the logic of the chain | Forget to reference source code | | Keep exploit script clean and runnable | Use external libraries not in base Python | | Mention if a vulnerability is in a 3rd‑party lib | Obfuscate steps – clarity = passing |
The OSWE report is a code‑grounded exploit narrative. You are not just a pentester – you are a security researcher proving that reading the source code leads to a reliable, chainable attack. Focus on clarity, reproducibility, and precise code references. A well‑written report can save you even if your exploit is slightly unstable – the examiner must understand your reasoning.
Good luck with your OSWE exam!
OffSec Web Expert (OSWE) exam requires a formal, professional report detailing the exploitation of two web applications within a 47 hour and 45 minute practical exam. Following the lab, you have to submit your documentation. oswe exam report
The report is a critical component of the certification; even if you achieve the required points, an incomplete or poorly formatted report can lead to failure. OSWE Exam Report Requirements OffSec requirements , your report must be submitted as a archived into a file using the naming convention OSWE-OS-XXXXX-Exam-Report.7z Core Document Structure An acceptable report generally follows the Official OSWE Template , which includes the following sections: Advanced Web Attacks and Exploitation OSWE Exam Guide
This distinguishes OSWE from other certs. You must document how your automated exploit works.
requests, BeautifulSoup).python exploit.py --url <url> --cmd <command>).You must tell the developer exactly how to fix the code. Mastering the OSWE Exam Report: A Comprehensive Guide
system("ping " . $ip);system("ping " . escapeshellcmd($ip)); or preferably refactor to avoid system() entirely.$stmt = $conn->prepare($sql);"Purpose: To provide a high-level overview for management and non-technical stakeholders.
C:\Users\Bob\Desktop\shell.php. Use ./shell.php.sys.argv for the target IP, port, and any session tokens. Better yet, have the script discover tokens via regex.time.sleep() and document exactly why.[+] Login successful and [-] Failed to upload so the grader knows where a failure occurs.viewUser.php”)Affected file & line
/modules/user/viewUser.php – line 42
Code snippet
$id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = " . $id;
Description
No input sanitisation. $id concatenated directly into query.
Proof of Concept
Request:
GET /viewUser.php?id=1 UNION SELECT password FROM admins
Response showing admin hash.
Impact
Database disclosure, authentication bypass, potential RCE if combined with file write.
Repeat for each distinct vulnerability (e.g., File Upload Bypass, Command Injection, Auth Bypass).