Forgetting to include the vulnerable sections of the source code that you analyzed.
List the specific hostnames and IP addresses assigned during your exam.
Your report should be detailed enough that someone with equivalent technical knowledge could replicate your attack from scratch. Include code snippets showing the vulnerability in the source, explain why the vulnerability exists, and show the exact payloads used.
OffSec requires fully automated, "one-click" exploit scripts for the OSWE exam. oswe exam report
This comprehensive guide breaks down exactly how to structure your OSWE documentation, format your proof of concepts, and avoid the reporting pitfalls that cost candidates their certification. OSWE Exam Format & Score Requirements
Numbered steps, including the exact URL, payload, and parameters used.
Visual evidence of local file inclusion (LFI), remote code execution (RCE), and local flag files ( local.txt or proof.txt ) is mandatory. Forgetting to include the vulnerable sections of the
Many capable candidates fail the OSWE purely due to reporting errors. Avoid these common pitfalls:
A successful OSWE report must follow a structured hierarchy. If you use the official OffSec template, do not delete the core sections. If you build your own template, ensure it contains these mandatory elements: 1. Executive Summary
The OSWE exam report is not merely a formality—it’s a critical component of the certification process that tests your ability to communicate complex technical findings professionally and thoroughly. A well-crafted report demonstrates not just that you can hack, but that you understand the methodology behind your actions and can articulate it to technical stakeholders. Include code snippets showing the vulnerability in the
Explain why the application is vulnerable by walking through the source code. Quote the exact lines of code responsible for the flaw.
Configure global hotkeys to capture specific screen regions instantly. Use built-in blurring tools to mask sensitive credentials if necessary, though keeping them visible for the report is usually preferred.
Detail how you chained vulnerabilities together (e.g., using a Cross-Site Scripting or SQL Injection to achieve an Authentication Bypass, followed by a File Upload flaw to get Remote Code Execution).
This is perhaps the most widely used template collection. It provides Markdown-based templates for OSWE, OSCP, OSCE, OSEE, and OSWP exams. Benefits include: