Include exact flags, file paths, screenshots, and command outputs. Example items to include:
This is the heart of your OSWE report work. OffSec examiners do not want to guess. They want to replicate your attack exactly on their internal exam instance.
You must include:
Example Structure:
Step 1: The application accepts a
langparameter inindex.php?lang=en. Step 2: Incore.phpline 42, the code reads$language = $_GET['lang'];Step 3: At line 45, it executesinclude($language . '.php');without validation. Step 4: By sendingindex.php?lang=../../../../etc/passwd%00, we achieve LFI.
Experienced OSWE candidates use tools to speed up documentation:
However, do not over-automate. A script that generates a "report" without your analysis is worthless. The examiner needs to see your brain working through the source code. oswe exam report work
Your final deliverable is a single PDF. It must contain two major sections: the Executive Summary (low detail) and the Technical Report (high detail).
Here is exactly what the technical section requires for each vulnerability (usually 2-3 core exploits, plus chaining steps).
| What to screenshot | Why |
| :--- | :--- |
| Source code with line numbers | Proves white-box access |
| HTTP request that triggers bug | Shows input flow |
| HTTP response confirming exploit | Shows impact |
| Terminal with id or cat flag | Proves RCE |
| Diff of fixed code | Shows you understand remediation | Include exact flags, file paths, screenshots, and command
Do not screenshot only the terminal output. They will fail you.
Create a template before you start the exam. Here is a proven structure:
Before you hit "Submit," verify every item: This is the heart of your OSWE report work
Before we look at the "how," we must understand the "why." The OSWE exam focuses on White Box Penetration Testing (source code review). The report requirements reflect that.
The OSWE report work must prove you understand why the vulnerability exists in the code, not just that you can type a command into a URL bar.