Offensive Security (OffSec) places a massive emphasis on documentation. A high-quality report is not just a summary of findings; it is a professional document that showcases your methodology, exploit development skills, and remediation advice. This guide will walk you through how to construct an expert-level OSWE exam report to ensure you secure your certification. 1. Understanding the OSWE Report Requirements
Use clear headings, consistent fonts, and appropriate spacing. Save as PDF: Ensure your final document is in PDF format.
Before typing a single word, you must align your document with OffSec's strict exam guidelines.
The OSWE report is a . This means:
Performs any necessary authentication bypass or logic flaw exploitation. Triggers the vulnerability. Delivers the payload. oswe exam report
Before you zip up your report and exploit.py , set a timer for 30 minutes and run this checklist.
While you can document manual discovery, your final script should be "one-click." It should handle the authentication, the vulnerability chain, and the final payload delivery.
The preferred method for many advanced students. You write in simple markdown, use a customized LaTeX template, and compile to PDF via the command line.
OffSec isn’t just testing your ability to find a bug; they are testing your ability to communicate it. In a professional setting, a client doesn't see your terminal; they see your report. If your report is disorganized or lacks detail, you can fail the exam even if you successfully compromised all targets and achieved the required points. 2. The Golden Rule: Reproducibility Offensive Security (OffSec) places a massive emphasis on
Paste the exact snippets of vulnerable source code into the report.
Double-check that every target's local.txt and proof.txt contents match your screenshots perfectly.
You must include unedited screenshots of the local.txt and proof.txt flags inside the report, along with the contents of the files and the IP address of the victim machine via the command line (e.g., id && hostname && ip a && cat proof.txt ).
A brief transition section detailing the scope, IP addresses, and the specific software applications analyzed during the exam. 3. Target Breakdowns (The Core Section) Before typing a single word, you must align
The meat of the report. This is where you document each machine.
📌 : Failing to include a screenshot of a flag or a working PoC script can result in an automatic fail, even if you found all the bugs. If you’d like, I can help you:
A successful report is highly structured and leaves zero ambiguity. Use the following breakdown to organize your content. 1. Executive Summary
