Oswe Exam Report ((top)) May 2026

The Complete OSWE Exam Report Guide

Recommended Report Structure

1. Executive Summary

   • One-paragraph scope and high-level findings (impact, number of critical issues, overall assessment).

2. Environment

   • Target hostname/IPs, application stack (web server, language/framework, DB), exam time window, tools used (e.g., Burp Suite, ffuf, nmap, sqlmap, custom scripts).

3. Methodology

   • Recon steps (enumeration, crawling), testing approach (blackbox/graybox assumptions), and exploitation strategy.

4. Vulnerability Findings (repeat per issue) oswe exam report

   • Title & Severity: (Critical/High/Medium/Low)
   • Affected Component: URL, parameter, endpoint, or file path.
   • Description: What the vulnerability is and why it matters.
   • Impact: Potential attacker capabilities (RCE, auth bypass, data leak).
   • Proof-of-Concept: Concise, reproducible steps with exact requests, payloads, and expected responses. Include command output, screenshots, or base64-encoded artifacts as appendices.
   • Root Cause: Code or configuration causing issue.
   • Remediation: Specific fixes, secure coding examples, configuration changes, and testing recommendations.
   • References: CVE, OWASP links, or docs for similar issues.

5. Chaining & Post-Exploitation

   • Show how multiple issues combine to achieve higher impact (e.g., SSRF -> internal service access -> authentication bypass).
   • Steps to achieve final objectives (proof files, flags). Include precise commands and timings.

6. Evidence Appendix

   • Full exploit scripts, raw request/response logs, screenshots, file hashes, and final flags. Ensure sensitive data redaction as required by exam rules.

7. Mitigation & Hardening Checklist

   • Actionable items prioritized by severity (patching, input validation, least privilege, logging/monitoring, WAF rules).

8. Testing Notes & Limitations

   • Assumptions, test coverage, any parts of the app not reachable during exam window.

B. Affected Component & Source Code Reference

• File: /www/classes/User.class.php
• Line(s): 112-119
• Code Snippet:

  $template = file_get_contents($_GET['template']);
  eval("?>".$template);
  

  (Note: The exact vulnerable code must be copied into the report.)

A. Vulnerability Name & Severity

• Example: "Remote Code Execution via Deserialization – Critical"
• Do not over-inflate severity. If it is a reflected XSS, mark it as Medium. Integrity matters.

Common Reasons OSWE Exam Reports Fail

Let’s look at the data from community feedback and OffSec’s own scoring guide.

3.8 Appendix: Exploit Script

Paste your full Python (or other) script. Ensure it’s well commented and works with minimal changes (examiner may run it). The Complete OSWE Exam Report Guide Recommended Report

#!/usr/bin/env python3
# Exploit for OSWE exam - SQLi to RCE chain
import requests
target = "http://10.0.0.1/"
D. Reproduction Steps (Manual)
Write step-by-step instructions for a human to follow manually (without the script).

Navigate to http://target/login.php.
Intercept the POST request.
Change username to admin' OR '1'='1.
Observe the session cookie returned.