OSWA
OffSec

Offensive Security Web Assessor

Intermediate 48hr practical + report Pass: 100+ points $1,499

Web application penetration testing — SQL injection, XSS, SSRF, deserialization.

Official Page
IssuerOffSec
Format48hr practical + report
Duration72 hours total
Pass Score100+ points
Valid For3y
Overview Syllabus (7) Tools (7) Cheat Sheets (1) Labs (1)
Full Syllabus
Web Application Reconnaissance 15%
Passive and active web recon, technology fingerprinting, JS analysis, content discovery
Cross-Site Scripting (XSS) 15%
Reflected, stored and DOM-based XSS, filter bypass, cookie theft, session hijacking
SQL Injection 20%
Error-based, union, blind boolean/time-based SQLi across MySQL, MSSQL, PostgreSQL, Oracle
Authentication & Session Attacks 15%
Brute force, session fixation, credential stuffing, password reset flaws, 2FA bypass
File Inclusion & Path Traversal 10%
LFI, RFI, log poisoning, PHP wrappers, path traversal to sensitive files
File Upload Vulnerabilities 10%
MIME bypass, extension blacklist bypass, magic bytes, .htaccess upload, polyglot files
XXE & SSRF 15%
XML external entity injection, SSRF to internal services and cloud metadata endpoints