Report: Oswe Exam

In this guide, we will dissect exactly what the OSWE exam report requires, how to structure it for maximum points, and common pitfalls that lead to an “Incomplete” or “Fail” status. The OSWE exam report is a formal penetration testing deliverable. You are acting as a consultant who has successfully compromised two separate machines (or a network of applications) by chaining together multiple vulnerabilities.

Use relative paths and generic listener commands. Document every external command. Failure #2: Missing Code Context You show a weakness but not the surrounding code. For instance, you find a SQL injection, but you don’t show the sanitization attempt (e.g., addslashes() ) that you bypassed. The examiner needs to see why the developer’s fix failed. oswe exam report

Include 10 lines above and below the vulnerable code. Failure #3: Forgetting the “White-Box” Rule Do not write the report as if you discovered the vulnerability via fuzzing. Say: “While reviewing routes.php, the application fails to validate the ‘action’ parameter before passing it to call_user_func_array().” Failure #4: Poor Screenshot Hygiene Blurry images, terminal text too small, or screenshots that edit out critical error messages. OffSec requires clear, readable proofs. In this guide, we will dissect exactly what

Your goal is to provide a document that allows Offensive Security’s lab team to verify your findings. Use relative paths and generic listener commands

For each vulnerable application, you need a section titled: “Vulnerability Chain: [Entry Point] to [Remote Code Execution].” A. Source Code Snippet Since OSWE is white-box, you must copy-paste the exact vulnerable lines of code. Use monospaced formatting and highlight the insecure line (e.g., eval($_GET['cmd']) ).

Explain step-by-step how user input flows from the entry point (e.g., a $_POST['file'] parameter) to a sink function (e.g., include() or system() ). OSWE examiners look for this “taint flow” analysis.

public function runCommand($user_input) { $result = ""; assert("$result = $user_input"); return $result; } The runCommand() method takes user-controlled input from the cmd POST parameter. The assert() function evaluates the string as PHP code. Since no sanitization is applied, an attacker can break out of the string concatenation by injecting '.phpinfo().' , leading to arbitrary code execution.