Oswe Exam Report May 2026
Severity: Critical CVSS Score: 9.8
Purpose: To show you understand how to fix the issues.
For each finding, provide specific coding fixes.
A. Source Code Snippet
Since OSWE is white-box, you must copy-paste the exact vulnerable lines of code. Use monospaced formatting and highlight the insecure line (e.g., eval($_GET['cmd'])).
B. The Code Trace
Explain step-by-step how user input flows from the entry point (e.g., a $_POST['file'] parameter) to a sink function (e.g., include() or system()). OSWE examiners look for this “taint flow” analysis. oswe exam report
Example:
Line 12:
$template = $_GET['theme'];– User input unsanitized. Line 45:include($template . '.php');– Leading to Local File Inclusion (LFI).
C. The Exploit Script You must provide a working Python or Ruby exploit script. The examiner will run this script against their pristine exam environment. If it fails, you fail. Ensure the script is self-contained (no hardcoded absolute paths unless necessary) and includes comments.
D. Proof Screenshots
Offensive Security will never release their exact rubric, but after analyzing hundreds of failed exam posts, the criteria are clear.
| Category | Weight | Fail Condition | | :--- | :--- | :--- | | Exploitability | 40% | PoC script fails on a clean install. | | Source Code Accuracy | 25% | Line numbers are off by more than 5 lines, or the wrong file is cited. | | Reproduction Steps | 20% | A human cannot follow steps to replicate without guessing. | | Remediation | 10% | Remediation is generic ("use parameterized queries") without a code example. | | Professionalism | 5% | Spelling errors, mangled PDF formatting, missing page numbers. |
If you get a 100% on the hack but a 60% on the report, your overall score is ~80%, which is often a fail.
The OSWE exam is unique among OffSec certifications because it focuses on white-box web application security (source code review). Unlike OSCP, you have access to the application’s source code. The exam requires full compromise of two separate web applications (or a multi-app environment) within 48 hours, followed by a 24-hour submission window for the report. Severity: Critical CVSS Score: 9
Key grading criteria:
The Offensive Security Web Expert (OSWE) certification is one of the most respected and challenging credentials in the application security industry. Unlike multiple-choice exams or simple capture-the-flag (CTF) events, the OSWE exam is a grueling 48-hour practical test followed by a 24-hour reporting window.
Most candidates obsess over the hacking phase. They spend months mastering white-box code analysis, advanced PHP object injection, and .NET deserialization. Yet, a staggering number of failures occur not because the candidate couldn’t root the boxes, but because they failed to produce an OSWE exam report that met Offensive Security’s rigorous standards.
In this guide, we will dissect exactly what the OSWE exam report requires, how to structure it for maximum points, and common pitfalls that lead to an “Incomplete” or “Fail” status. Line 12: $template = $_GET['theme']; – User input