Offensive Security Web Expert

Expert Source-code-driven practical exam + exploit/report Pass: Objective/report-based; exact threshold may vary … $1,499

OSWE emphasizes white-box web exploitation and source-code-driven vulnerability discovery. A strong 2026 approach combines static analysis, exploit chaining, and concise technical communication.

Official Page

IssuerOffSec

FormatSource-code-driven practical exam + exploit/report

Duration48h exam window + report window (indicative)

Pass ScoreObjective/report-based; exact threshold may vary …

Valid For3y

Overview Syllabus (5) Tools (7) Cheat Sheets (2) Labs (3)

Recommended Tools

Burp Suite Essential

Proxy

Intercept, modify, and automate web testing workflows.

usageburpsuite

ffuf Essential

Web Fuzzing

Directory, parameter and virtual host fuzzing.

installsudo apt install -y ffuf

usageffuf -u https://target/FUZZ -w wordlist.txt

SecLists Essential

Wordlists

Payloads/wordlists for discovery and exploitation.

installsudo apt install -y seclists

usagels /usr/share/seclists

CherryTree/Obsidian Essential

Workflow

Structured notes for report-grade evidence capture.

usageUse for methodology + proof tracking

Nuclei

Automation

Template-based vulnerability checks for breadth.

installgo install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

usagenuclei -u https://target

feroxbuster

Content Discovery

Recursive web content discovery.

installcargo install feroxbuster

usageferoxbuster -u https://target

sqlmap

Injection Testing

Automated SQL injection testing and validation.

installsudo apt install -y sqlmap

usagesqlmap -u "https://target/item?id=1" --batch