Before generating your final PDF, double-check these critical items:
Remember: If your exploit works on your local VM but you forgot to capture the terminal output in the report, it did not happen.
Use print statements to indicate the progress of the exploit (e.g., [*] Step 1: Bypassing Authentication... Success. ). The Final Review: Double-Checking Your Work oswe exam report work
Is the PDF named exactly according to Offensive Security's instructions (e.g., OS-XXXXX-OSWE-Exam-Report.pdf )? Packaging the Submission
: You must include proof of authentication bypass and remote access, showing contents alongside your IP and username. Exploit Scripts : You are required to include the full source code Exploit Scripts : You are required to include
This article is a deep dive into exactly what the OSWE exam report work entails, how to structure it, common pitfalls, and a pre-submission checklist to ensure you get the "Pass" you earned.
Are the IP addresses matching your assigned exam environment? such as using parameterized queries
Use a local note-taking application (like CherryTree, Obsidian, or Joplin) to organize your thoughts during the exam. Create separate tabs for each target machine. Copy and paste code blocks, HTTP requests, and responses into your scratchpad as you work. This makes compiling the final PDF report much faster. Draft the Exploit Narrative Early
The cursor blinked in the top left corner of the terminal, a small, unblinking green underscore against the black void. For the last four weeks, that cursor had been the only thing that mattered in Elias’s life.
These must be shown in their original location via a terminal/command prompt.
Provide specific, actionable code fixes. Do not just say "fix the input filter." Show a secure coding alternative, such as using parameterized queries, safe serialization libraries, or strict allow-lists. The Automation Requirement: Exploit Scripts