Offensive Security Web Assessor

Intermediate Practical web assessment exam + report Pass: Objective/report-based; exact threshold may vary … $1,499

OSWA is a practical web-assessment certification focused on finding and exploiting web vulnerabilities in realistic environments. For 2026 readiness, focus on API-first testing, auth logic flaws, and report clarity.

Official Page

IssuerOffSec

FormatPractical web assessment exam + report

Duration48h exam window + report window (indicative)

Pass ScoreObjective/report-based; exact threshold may vary …

Valid For3y

Overview Syllabus (5) Tools (7) Cheat Sheets (2) Labs (3)

Full Syllabus

Web Recon & Attack Surface Mapping 20%

Content discovery, auth flow mapping, API and role-model understanding.

Input Validation & Injection 25%

SQLi, command/template injection, deserialization and related data-flow flaws.

Authentication, Session & Access Control 25%

Broken auth, session handling, IDOR/BOLA, privilege boundary failures.

Business Logic & Modern Web Risks 15%

Race conditions, abuse paths, workflow manipulation, OAuth/JWT pitfalls.

Reporting & Patch Verification 15%

Clear PoC chains, risk contextualization, mitigation and validation guidance.