If the script is exceptionally long, paste the critical payload-generation logic directly into the text body, and append the full script to the end of the section or report. D. Proof of Possession (Flags)
During the 48-hour exam, you are exhausted. You will forget what a screenshot was for. Use a timestamp tool or a notebook.
The preferred method for many advanced students. You write in simple markdown, use a customized LaTeX template, and compile to PDF via the command line. oswe exam report
The OSWE exam report includes a detailed account of a candidate's activities during the exam. Some of the key elements that are typically included in the report include:
Provide a conceptual narrative of your exploit chain before breaking down the code. Explain how the vulnerabilities connect. For example, describe how an unauthenticated file read vulnerability allowed you to steal a configuration key, which you then used to forge a session token to access an administrative dashboard, ultimately leading to remote code execution (RCE). 3. Granular Vulnerability Breakdown (Per Host) If the script is exceptionally long, paste the
| Criteria | Weight | Passing Requirement | |----------|--------|----------------------| | Correctness of exploitation | 60% | All vulnerabilities fully chained to shell/flag | | Reproducibility | 20% | Examiner can rerun exploit script and get same result | | Clarity / Documentation | 20% | Code references, screenshots, logical flow |
Ensure your script is readable, commented, and does not rely on hardcoded local paths that won't work on the grader's machine. You will forget what a screenshot was for
---
The OSWE exam report is your final presentation as an expert. By following a structured approach, focusing on white-box analysis, providing robust proof-of-concept code, and following OffSec guidelines, you can significantly increase your chances of passing. Documentation is not just a requirement; it is a demonstration of your professional competence as a web application expert. Good luck with your OSWE exam and report! If you'd like, I can: Give you a checklist for the
Explain the business risk (e.g., "Complete application takeover via SQL Injection"). Non-technical management. D. Methodology