Double-check that every target's local.txt and proof.txt contents match your screenshots perfectly.
The OSWE is a white-box exam. You must document your source code analysis process.
OffSec provides an official report template, which you should use as your foundation. Your final document must include several critical sections to be considered valid. 1. Executive Summary
When pasting Python code into your report editor, ensure the indentation remains completely intact. Python relies on indentation; if your report breaks the syntax, it technically becomes non-functional code. oswe exam report
Explain which file, class, or function contained the flawed logic.
Documenting the RCE but forgetting to detail exactly how you achieved the initial authentication bypass required to reach that endpoint. Conclusion
You must provide a working Python or Ruby exploit script. The examiner will run this script against their pristine exam environment. If it fails, you fail. Ensure the script is self-contained (no hardcoded absolute paths unless necessary) and includes comments. Double-check that every target's local
Before you hit the submit button on the OffSec portal, verify the following: The report is compiled into a single PDF document.
A well-structured OSWE report contains specific sections, designed to guide a reviewer through your methodology from initial discovery to final exploitation.
Include HTTP requests and responses (using tools like Burp Suite) demonstrating the flaw. OffSec provides an official report template, which you
Purpose: To show you understand how to fix the issues.
Does the report explain the underlying source code logic flaws for every vulnerability?
Authenticated Remote Code Execution (RCE) via SQLi & File Write Chain Target Application: Cyclone (Hypothetical Exam App) Language: Python 3
For each vulnerability found, use the following structure:
You show a weakness but not the surrounding code. For instance, you find a SQL injection, but you don’t show the sanitization attempt (e.g., addslashes() ) that you bypassed. The examiner needs to see why the developer’s fix failed.