This feature validates the core competency of the OSWE certification: . It proves that the candidate is not just running tools (like in OSCP) but is capable of reading source code, understanding logic errors, and writing custom code to exploit them professionally.
Review this checklist before submitting your final PDF to ensure you haven't committed these common reporting blunders:
If you are preparing for the exam, I can also provide tips on: Effective . How to automate your exploitation for the report. Tips for managing the 48-hour time limit . Let me know what you'd like to dive into! Share public link oswe exam report work
| Time | Activity | Report Status | | :--- | :--- | :--- | | Hour 1-2 | Enumerate codebase, map input points (forms, cookies, API params) | Create empty sections for each app | | Hour 3-6 | Find first vulnerability chain | Draft PoC + code snippet immediately | | Hour 7-12 | Exploit to get RCE or auth bypass | Write exploitation steps | | Hour 13-18 | Second application | Same process | | Hour 19-22 | Privilege escalation or second vector | Add to report | | Hour 22-24 | STOP EXPLOITING – Polish report | Verify screenshots, code snippets, PoCs | | Hour 24-48 | Sleep, re-test, submit | Final proofread |
Every step must feature a clear screenshot showing the request, the response, and the exact payload used. C. Custom Exploit Automation Script This feature validates the core competency of the
Ensure your script is clean, commented, and readable.
: Once your lab access ends, a separate 24-hour window begins specifically for writing and submitting your report. You cannot access the exam environment during this time. Core Report Requirements How to automate your exploitation for the report
Stakeholders who need a high-level understanding of the business risk and developers who need clear instructions on how to patch the underlying code. Phase 1: Pre-Exam Preparation
The OSWE heavily emphasizes automation. You are required to write a functional exploit script (typically in Python) that automates the entire attack chain from an unauthenticated state to RCE.