Evidence of the vulnerability (e.g., successful command execution, reading the proof.txt file).
Ensure you export your report as a PDF . Double-check that your naming convention matches OffSec’s requirements (e.g., OSWE-WM-XXXXX-Exam-Report.pdf ). 7. Pro-Tips for Success
: High-level overview of the targets and whether they were fully compromised.
Provide snippets of the vulnerable source code with syntax highlighting, pointing out the exact lines where user input is unsafely handled. B. Flaw Identification & Local Verification
For each finding, provide specific coding fixes. oswe exam report
Before you zip up your report and exploit.py , set a timer for 30 minutes and run this checklist.
This is the core of the report. For each target, you must provide a of your attack path, including screenshots of each stage, all commands entered, source code for every custom exploit, and the captured local.txt and proof.txt files. The grader should be able to rebuild your entire attack chain without guesswork.
Suggest specific code fixes (e.g., "Use parameterized queries" or "Implement strict CSRF tokens"). 💡 Pro-Tips for Success
: You must include screenshots of local.txt and proof.txt contents, clearly showing the IP address and the command used to read them (e.g., type or cat ). 2. Core Report Structure Evidence of the vulnerability (e
The OSWE exam report is not a mere formality; it is the primary artifact that demonstrates your technical competence. OffSec graders use the report to evaluate your methodology and ensure your findings are correct and replicable.
Many successful OSWE candidates use pre-built templates to save time during the 24-hour reporting window. Here are the most popular and reliable options:
Do not just show the vulnerable function. Show the two lines above it to prove there is no sanitization, and the two lines below it to show the impact.
Here is the truth that many candidates learn the hard way: Suggest specific code fixes (e.g.
Review this checklist before submitting your final document to ensure you do not fall victim to easily avoidable mistakes:
The absolute most important requirement of the OSWE report is . A technical reviewer should be able to take your report, follow it step-by-step on a fresh instance of the machine, and achieve the exact same result.
user=admin' OR '1'='1' -- &pass=anything