This is the heart of your report and the section that requires the most careful attention. It must contain a step-by-step account of your penetration test, structured by each objective or target system.
OSWE is rarely about a single bug. It’s about .
One of the core graduation requirements of the OSWE is automation. You cannot simply document manual Burp Suite steps.
What do you currently plan to use? (Markdown, Word, etc.) oswe exam report work
: Visual evidence of successful exploitation and flag retrieval. Critical Tips from Reviews Advanced Web Attacks and Exploitation OSWE Exam Guide
Before typing your first section, review the official OffSec exam guide for strict reporting requirements. Missing even one minor administrative instruction can invalidate your entire submission.
Failing the OSWE exam because of a preventable reporting mistake is a painful experience. To make sure you are not one of the candidates caught by these pitfalls, here are the most common report failure reasons and a checklist to avoid them. This is the heart of your report and
Identify the specific source code file, function, or line number responsible for the flaw.
Write your methodology in a "narrative" form so a technically competent reader can replicate your exact steps. This includes: Discovery process for the vulnerability. Manual exploitation steps using tools like Burp Suite .
If you want, I can:
The OSWE exam requires two separate documents:
As you sit for the exam, keep these general strategies in mind:
# Based on source code at /var/www/html/classes/User.php line 89 # The hash is unsalted MD5 of username + password. target = "http://192.168.1.10/login.php" payload = "user": "admin", "pass": "admin" hash_candidate = hashlib.md5(f"payload['user']payload['pass']".encode()).hexdigest() print(f"[*] Attempting hash: hash_candidate") r = requests.post(target, data=payload) if "Welcome" in r.text: print("[+] Authentication bypassed.") </code></pre> <hr> <h2>Part 4: Common OSWE Report Work Mistakes (And How to Avoid Them)</h2> <p>Over the years, I have reviewed dozens of failed OSWE reports. Here are the top 5 mistakes:</p> <h3>Mistake #1: Submitting a “Hacker’s Log”</h3> <p>Do not include:</p> <ul> <li>“I tried SQLmap but it crashed.”</li> <li>“I wasted 3 hours on a false positive.”</li> <li>“Maybe if I had more time…”</li> </ul> <p>Your report is not a diary. It is a polished final product.</p> <h3>Mistake #2: Missing the “Two-Exploit” Rule</h3> <p>For the OSWE exam, you must compromise <strong>two separate standalone boxes</strong> (Box 1 and Box 2). Your report must clearly separate the two. Do not interleave them. Use clear headings: <strong>Section A – Box 1 (Challenger)</strong> and <strong>Section B – Box 2 (Challenger)</strong>.</p> <h3>Mistake #3: Vague Remediation Advice</h3> <p><strong>Bad:</strong> “Fix the SQL injection.”<br> <strong>Good:</strong> “Replace string concatenation in <code>db.php</code> line 44 with PDO prepared statements. Example: <code>$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id');</code>”</p> <h3>Mistake #4: Forgetting the Localhost Proof</h3> <p>Some OSWE exam boxes require you to exploit a vulnerability that runs on localhost (e.g., a local privilege escalation via a cron job). You must prove this <em>inside the report</em> with a screenshot of your local terminal and the target machine’s hostname.</p> <h3>Mistake #5: Incorrect File Naming</h3> <p>You must name your submitted files exactly as specified in the OSWE Exam Guide. Typically:</p> <ul> <li><code>OSWE-Exam-Report-<YOUR_OSCP_ID>.pdf</code></li> <li><code>OSWE-Exam-Exploits-<YOUR_OSCP_ID>.zip</code></li> </ul> <p>If you name them <code>final_report_v3_FINAL.pdf</code>, your exam will not be graded.</p> <hr> <h2>Part 5: Time Management – How Long Should OSWE Exam Report Work Take?</h2> <p>You have 47 hours and 45 minutes of active hacking (the exam pauses for breaks, but the clock runs for 48 hours). Do not spend 40 hours hacking and 7 hours reporting. That is a recipe for a rushed, failing report.</p> <h3>The 40/8 Rule for OSWE</h3> <ul> <li><strong>First 40 hours:</strong> Pure exploitation. But here’s the trick – <em>take notes and screenshots as you go</em>. Write your exploit script incrementally.</li> <li><strong>Last 8 hours:</strong> Stop hacking. Disconnect your VPN. Format the report, organize screenshots, write the executive summary, and double-check every PoC.</li> </ul> <h3>The Pre-Report Checklist (2 hours before submission)</h3> <p>Go through this checklist slowly:</p> <ul> <li>[ ] Does every vulnerability have a screenshot of the exploit running?</li> <li>[ ] Is every Python script properly indented and error-free?</li> <li>[ ] Did I include the vulnerable source code snippet in the report?</li> <li>[ ] Does my executive summary match the technical details (no contradictions)?</li> <li>[ ] Have I redacted any personal information (real names, IP addresses from your home network)?</li> <li>[ ] Is my PDF under 15MB? (Massive files get rejected.)</li> <li>[ ] Did I re-run every exploit script against the target to ensure it still works?</li> </ul> <hr> <h2>Part 6: Advanced OSWE Report Work – Going from Pass to “Expert”</h2> <p>The OSWE is not just about passing; it’s about demonstrating <em>expertise</em>. Your report is your portfolio. Here’s how to elevate it.</p> <h3>6.1 Include a “Creative Attack Chain”</h3> <p>The exam wants you to chain vulnerabilities. Don’t just list them:</p> <ul> <li>XSS -> CSRF -> Change admin password -> Read source code -> Find hardcoded DB creds -> RCE.</li> </ul> <p>Draw a simple flowchart in Draw.io or Mermaid.js and embed it. Examiners reward creative chaining.</p> <h3>6.2 Add a “Why This Vulnerability Existed” Section</h3> <p>For each finding, write one sentence on the root cause: <em>“The developer assumed user input would never contain a null byte, leading to a path traversal.”</em> This shows deep understanding.</p> <h3>6.3 Use Tables for Parameters</h3> <p>Instead of a long paragraph, use a table to describe the malicious HTTP request:</p> <p>| Parameter | Original Value | Malicious Value | Effect | |-----------|---------------|-----------------|--------| | <code>user_id</code> | <code>123</code> | <code>123 UNION SELECT password FROM users</code> | SQLi | | <code>debug</code> | <code>false</code> | <code>true</code> | Enables error disclosure |</p> <hr> <h2>Part 7: After the Exam – Submitting Your OSWE Report Work</h2> <p>You’ve finished the report. Now the final steps.</p> <h3>Step 1 – PDF Conversion</h3> <p>Export your document to PDF. Then open the PDF and check:</p> <ul> <li>All hyperlinks work.</li> <li>All screenshots are visible (not broken links).</li> <li>Code blocks have not lost their indentation.</li> </ul> <h3>Step 2 – Zip Your Exploits</h3> <p>Create a folder named <code>/exploits/</code>. Inside, put every <code>.py</code>, <code>.sh</code>, and <code>.php</code> script you wrote. Do not include third-party tools (like sqlmap) unless you modified them. Create a <code>README.txt</code> inside the zip explaining how to run each script.</p> <p>Name the zip: <code>OSWE-Exam-Exploits-<YOUR_ID>.zip</code></p> <h3>Step 3 – Upload to OffSec Portal</h3> <p>Log into the OffSec exam portal. Upload both:</p> <ol> <li>The PDF report</li> <li>The ZIP file</li> </ol> <p>Then, and this is critical – <strong>copy the submission confirmation URL</strong> and save it offline. You will not get an email confirmation immediately.</p> <h3>Step 4 – Wait (And Resist the Urge to Resubmit)</h3> <p>Grading takes 5–10 business days. Do not resubmit unless asked. Resubmitting resets your place in the queue.</p> <hr> <h2>Conclusion: The Report Is Your Victory Lap</h2> <p>Mastering <strong>OSWE exam report work</strong> is not an afterthought—it is a core exam skill. Many talented hackers fail not because they cannot exploit, but because they cannot communicate their exploitation. A clean, thorough, and professional report turns your 48-hour struggle into a clear narrative of success.</p> <p>Remember:</p> <ul> <li>Start your report template <em>before</em> the exam.</li> <li>Screenshot everything, even the small wins.</li> <li>Write every vulnerability as if the reader has no context.</li> <li>Stop hacking 8 hours early to polish and proofread.</li> </ul> <p>If you follow this guide, you will not only pass the OSWE—you will produce a report worthy of a senior penetration tester. Now go break those web apps, chain those vulnerabilities, and write the report that finally earns you the letters: <strong>OSWE</strong>.</p> <p>Good luck.</p> <hr> <p><strong>Further Resources:</strong></p> <ul> <li>OffSec OSWE Exam Guide (official PDF)</li> <li>OWASP Testing Guide v4 (for remediation language)</li> <li>"The Pentester Blueprint" by Phillip L. Wylie (for report writing philosophy)</li> </ul> <p><em>This article is independently written and not affiliated with or endorsed by Offensive Security.</em></p> It’s about