In the real world, a client pays you to find vulnerabilities. But if you cannot explain to the development team exactly how to trigger the bug and exactly where to fix it in the source code, your hack is useless.
- [ ] Every required target has a **dedicated section**. - [ ] Each vulnerability includes **source code snippet** + **line number**. - [ ] A **working exploit script** is provided (Python/Go/curl one-liner with explanation). - [ ] Screenshots include **terminal commands** and **output** (no cropping of critical data). - [ ] No manual steps like “then I clicked the admin panel” without an automated equivalent. - [ ] All `proof.txt` values are **plain text** and match the target’s format. - [ ] The report is **exported as PDF** and submitted before the 24h deadline. - [ ] No “draft” language, apologies, or missing sections. oswe exam report
If you have time left, step away for an hour, then come back and read your report from the perspective of someone who has never seen the machine. Does it make sense? Final Thoughts OSWE exam report — short story In the
after your 48-hour exam window ends. The report is graded on both technical correctness completeness Passing Score: You must earn at least 85 out of 100 points mark it as Medium. Integrity matters.
// Vulnerable Code Snippet $query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "'";
: Both the PDF and the archive must be named OSWE-OS-XXXXX-Exam-Report , where OS-XXXXX is your OSID.