Oswe Exam Report

OffSec Web Expert (OSWE) exam report is the final hurdle in the 48-hour

• [ ] Is the report named OSWE-OS-XXXXX-Report.pdf?
• [ ] Is the PoC named exploit_<vulnerability_name>.py?
• [ ] Are both files zipped into OSWE-OS-XXXXX-Exam.zip?
• [ ] Did you test extracting the zip on a different computer?

Code Analysis: This is the "White-Box" part. Include snippets of the vulnerable source code. Highlight the specific lines where user input is mishandled. Steps to Exploit: Use a numbered list. Send a POST request to X. Intercept the cookie Y. Modify the payload to Z.

OSWE exam reports typically require you to demonstrate that you can not only find the bugs manually but also automate the exploitation process.

For each vulnerability, include:

A. Source Code Snippet Since OSWE is white-box, you must copy-paste the exact vulnerable lines of code. Use monospaced formatting and highlight the insecure line (e.g., eval($_GET['cmd'])).

Full Exploit Source: You must include the complete source code for your custom, automated exploit scripts.

1. Executive Summary: A high-level overview of the engagement and overall risk assessment.
2. Methodology: How you approached the source code review and exploitation.
3. Findings & Recommendations: A detailed breakdown of each vulnerability.
4. Proof of Exploitation: Screenshots and command outputs verifying local.txt and proof.txt.
5. Debugging Output & Code Traces: Unique to OSWE—you need to show the vulnerable code flow.

The script must be verbose (print URLs, cookies, responses) and require minimal modification. Ideally, the reviewer types python3 exploit.py 192.168.1.100 and gets a shell.