The OffSec Web Expert (OSWE) exam is known for its white-box methodology. You don’t simply “scan” a webapp to find potential vulnerabilities, you read the code, understand it, and find the flaws to forge the perfect exploit. Nothing out of reach with the right technical preparation and experience.

AWAE/OSWE/WEB-300

Let’s first clarify what we’re talking about. OSWE (Offensive Security Web Expert) is the certification, while AWAE (Advanced Web Attacks and Exploitation, also known as WEB-300) is the course that prepares you for the exam.

  • AWAE Advanced Web Attacks and Exploitation: This course is the heart of the preparation. It teaches you to identify complex vulnerabilities in web applications by performing white-box analysis, meaning analyzing the source code. The goal is not just finding the bug, but also developing reliable and reusable exploits.

  • OSWE OffSec Web Expert: This is the OffSec certification obtained by passing the 48-hour proctored exam (+24h for the report) that tests your ability in researching and exploiting web vulnerabilities through source code analysis and dynamic application analysis. It’s the proof that you can go beyond surface-level testing.

The exam

Some notes from my experience during the 48-hour exam.

Time management

I started in the morning at my usual wake-up time, without disrupting my routine. I jumped straight into the first target with static code analysis: gathering information, mapping the riskiest paths, identifying critical functions. In parallel, dynamic analysis with a debugger attached to understand where and how suspicious functions were triggered, and Burp to observe the requests.

While analyzing, I kept a text file with useful calls for the exploit and took screenshots of everything: vulnerable code snippets, Burp requests, application screens, flags. By midday I already had a defined path to fully exploit the first target. After lunch I started writing the exploit code and testing it. By evening I had a working PoC and the flags submitted to the OffSec portal. The only manual step was nc -lnvp for the listener, which is allowed as specified in the exam guide.

On the second day, same wake-up time, breakfast, shower and back to it. With the process already refined from day 1, the second target went more smoothly. For this exploit I also integrated the netcat listener into the script, so the PoC was 100% self-contained.

Cheat-sheets and resources during the exam

The use of chatbots and AI is prohibited during the exam. You feel it, especially if, like me, you’re used to having them available when writing code. You have to take a step back: go back to reading documentation, googling, writing code by hand. But since the exploits are scripts that aren’t overly complex, nothing impossible in the end.

The two resources I consulted the most during the exam:

  • The official AWAE (WEB-300) PDF from OffSec, for things I didn’t remember by heart: how to set up remote debugging, how to decompile and quickly search in decompilers like JD-GUI.
  • The exploit-writing-for-oswe repo by rizemon, invaluable for Python code snippets.

The report

As soon as I discovered something interesting, I pasted notes, screenshots and evidence directly into the Word template provided by OffSec. Don’t wait until the end of the exam to start the report: documenting in real time will save you hours and prevent you from forgetting important details.

What I would do differently

If I had to do it again, I would dedicate a few practice sessions to writing exploits without AI before the exam. When you get used to having a copilot that autocompletes your code, going back to writing everything by hand under pressure is a bit of a shock. Even just solving a few PortSwigger labs by writing the PoCs in Python without assistance is a good exercise to get back into the rhythm.

Preparation

If you have the chance, buy the official AWAE (WEB-300) course from OffSec and follow their methodology. If, like me, you had limited access, for example only 3 months of lab time (which I started in early August, right before going on vacation), the guides, labs, and resources listed below will help you prepare for the exam as best as possible, even without the complete official path.

Below you’ll find, for each vulnerability class relevant to the OSWE, a link to PortSwigger labs for hands-on practice and a selection of case studies and resources I found useful during preparation.

VulnerabilityLabCase Studies & Resources
SQL InjectionPortSwiggerRCE with SQLi - MSSQL, Pre-Auth Takeover of OXID eShops, SQLi to LFI to RCE - MySQL, From SQLi to SHELL (I and II) - PentesterLab, Having Fun With PostgreSQL, Blind PostgreSQL SQLi Tutorial, SQLi Cheat Sheet - PentestMonkey, SQLi Cheat Sheet - PayloadAllTheThings, Exploiting H2 SQLi to RCE
Insecure DeserializationPortSwiggerSerialization - A Hidden Threat, Deserialization Vulnerability [Paper], Analyse Binary Serialization Stream, Friday the 13th: JSON Attacks - Black Hat 2017, Exploiting Node.js Deserialization to RCE, YAML Deserialization Attack in Python
SSTIPortSwiggerServer Side Template Injection - Portswigger Research, SSTI: RCE For The Modern Web App [Video], Server Side Template Injection, Jinja2 Template Injection Filter Bypasses
XXEPortSwiggerA Deep Dive into XXE Injection, From XXE to RCE: Pwn2Win CTF 2018, Blind XXE to RCE, Apache Flex BlazeDS XXE, WebLogic EJBTaglibDescriptor XXE
XSSPortSwiggerAtMail 6.4 - Persistent XSS, Chaining XSS, CSRF to RCE, Code Analysis to Gaining RCE, Magento 2.3.1: Unauth Stored XSS to RCE, MyBB 18.20 From Stored XSS to RCE
Arbitrary File UploadPortSwiggerFile Upload Restrictions Bypass [Paper], Shell the Web - Methods of a Ninja, Popcorn - HackTheBox, Vault - HackTheBox
SSRFPortSwiggerSSRF Vulnerability in Directus, Escalating SSRF to RCE on AWS, A New Era of SSRF - Black Hat 2017

I also recommend looking into Prototype Pollution, CSRF, OS Command Injection and Path Traversal through PortSwigger labs: these are vulnerability classes that can come up during the exam or in day-to-day work.

Take a Break

When you’re exhausted, you can always turn off the PC, throw yourself on the couch and read or watch videos from your smartphone (a tablet is better for IppSec videos if you don’t want to lose your eyesight):

Cheat-Sheet

The OSWE exam is proctored and the use of AI or chatbots is prohibited. So, unless you write code daily, you might find it difficult to write exploits from scratch, under pressure, without external help. Even ending up on Stack Overflow to find out how to print “Hello, World!” in Python is quite frustrating.

My advice: prepare your own cheat-sheets with code snippets, or find ready-made ones like this: OSWE cheatsheet from rizemon

Conclusion

Honestly, I’ve always found OffSec exams a bit stressful. The proctored format and the limited time objectively cause anxiety, but I must say that, compared to the OSCP, tackling web topics with the OSWE, an area where I was more prepared and it being my second exam with them, allowed me to be more relaxed.

The OSWE is not just a technical exam, it’s a test of endurance, methodology, and white-box problem-solving ability. It requires discipline in reading code and creativity in turning individual bugs into a functional exploit. In general, I recommend the WEB-300 (AWAE) course to everyone. In my opinion, it’s well made, rich in resources, but most importantly it gives you access to labs where you can practice on real and practical vulnerability chains. I also found myself asking for and receiving support on the OffSec Discord channel several times, and I found it functional, well-managed, and very useful, especially when you need a hint to move forward during the course.

In any case, if you need to dive deeper into some topics before the exam, I hope this post helps.