OSWE | WEB 300 Course Training Certification

OSWE is fundamentally a source-code-review and white-box web exploitation exam. The toolkit weights heavily toward debuggers, decompilers, and request-replay tooling — Burp Pro and a competent IDE are non-negotiable. Macksofy’s WEB-300 exam-prep bootcamp drills the workflow that turns 40,000 lines of unfamiliar source into an authentication-bypass + RCE chain in 12-16 hours.

• Burp Suite Professional. Repeater chains are the heart of OSWE workflow. Bootcamp covers Match-and-Replace rules, Macros for authenticated session refresh, BApp Store extensions (Param Miner, Hackvertor, JWT Editor, Logger++). Pro is required for OSWE — Community lacks Active Scan, Intruder rate, and Collaborator.
• VS Code + language servers. .NET (OmniSharp + ILSpy decompiler integration), Java (Language Support for Java by Red Hat + procyon-decompiler), PHP (PHP Intelephense), Python (Pylance), Node.js (built-in). Bootcamp drills code-navigation reflexes: jump-to-definition, find-all-references, symbol search.
• dnSpy / dotPeek (.NET decompilation). .NET binaries are common on OSWE. We cover dnSpy patching workflow, breakpoint injection for runtime inspection, and string-search across decompiled assemblies.
• JD-GUI / CFR / procyon (Java decompilation). Java WAR/JAR teardown. Bootcamp includes a session on Jython and Java deserialisation gadget chains (Apache Commons, Spring Beans, Hibernate).
• PHP source-review playbook. PHP-specific sinks: include/require + LFI, eval + RCE, unserialize + magic-method gadget chains, type-juggling (== vs ===), variable variables. Bootcamp uses a custom corpus of vulnerable PHP apps for drill repetitions.
• Node.js + JavaScript source review. prototype pollution, eval/Function constructor, template-engine SSTI (Handlebars, Pug, Mustache, EJS), Express middleware ordering bugs, child_process command injection.
• Database fuzzing arsenal. sqlmap (selectively — OSWE prefers manual SQLi), boolean-blind exfiltration scripts in Python, regex-based exfil oracles, second-order injection detection.
• XSS-to-RCE pivots. DOM-based + reflected + stored XSS → fetch() / XMLHttpRequest pivots → CSRF token exfil → administrative-action chains. Bootcamp covers the ‘XSS-only’ challenge class that still appears on OSWE-style exams.
• Authentication-bypass cheat sheets. JWT none-alg, JWT alg-confusion, OAuth state-stripping, SAML signature-wrapping, session-fixation, race-condition login flows.
• Custom Python exploit framework. Bootcamp ships a Python skeleton (requests + urllib3 + threading + colorlog) that students extend for each lab box — by week 8 you have a personal exploit framework you can use on the OSWE exam itself.

Unlike OSCP’s network-pentest lab, the OSWE bootcamp lab is a collection of full-stack vulnerable web applications across .NET, Java/Spring, PHP, Node.js, and Python/Django. Each app ships with its own source code on the lab box; you’ll exploit, root-cause via code review, then write a chained exploit script.

• Weeks 1-3 (fundamentals): Burp Pro mastery, authentication-bypass class deep-dive, SQLi / NoSQLi manual exploitation, server-side template injection (Jinja2, Twig, Velocity), authentication state-machine analysis.
• Weeks 4-5 (.NET track): dnSpy workflow, ViewState abuse, .NET deserialisation gadgets (Json.NET, BinaryFormatter), MSSQL escalation chains.
• Weeks 6-7 (Java track): Java deserialisation (ysoserial gadget chains), Spring SpEL injection, JNDI/LDAP injection (post-Log4Shell threat model), Tomcat manager pivot.
• Weeks 8-9 (PHP + Node tracks): PHP type-juggling and unserialize chains, Node.js prototype pollution and SSTI, full-stack JavaScript supply-chain bugs.
• Weeks 10-11 (exam-style rehearsals): Mock 48-hour exams on Macksofy-built challenge apps that combine authentication bypass + RCE chain + exploit-script-writing under realistic time pressure.
• Week 12 (exam-prep sprint): Report-writing rehearsal, time-management playbook for 48 vs 24-hour windows, retake strategy.

Total hands-on hours: ~300 hours over 12 weeks. Macksofy provisions an isolated lab VPN; each student gets their own per-app instances so concurrent exploitation doesn’t collide.

The OSWE exam is a 47-hour 45-minute hands-on attack window followed by a 24-hour report-writing window. OffSec provisions an exam VPN with two custom web applications, each shipped with source code. For each application you must achieve an authentication bypass AND a remote code execution, then write a chained exploit script that automates both. Each application is worth 50 points (auth bypass = 25, RCE = 25). Pass mark is 85/100.

Bootcamp exam-day playbook: First 3 hours are code-review only on both applications in parallel — no exploitation, just mapping the auth flow and identifying suspicious sinks. Hours 4-20 are deep-dive on the first application until you have a working exploit-script proof. Hours 20-40 swing to the second application. Hours 40-47:45 are reserved for buffer (one application is always harder than the other) and exploit-script polishing. Sleep aggressively in the first 24 hours — the second day is when fatigue costs most.

Auto-graded exploit scripts: The OffSec graders run your submitted exploit script against a fresh instance of the target. If your script requires manual intervention, partial credit applies — but full credit only goes to fully-automated end-to-end chains. The Macksofy bootcamp drills exploit-script-writing from week 4 onward to make this reflexive.

Retake strategy: Standard OffSec retake terms apply (additional exam fee, 14-day cooldown). The OSWE pass rate is historically lower than OSCP — expect a retake to be more likely than not on the first attempt, even with bootcamp preparation. Macksofy includes a post-exam targeted-practice block for any cohort member who needs to retake.

OSWE is the single most-respected web-app security credential in India. Of 90 sampled India AppSec / web-pentest roles in Q1 2026, 62% list OSWE as ‘preferred’ (vs ~30% for Burp Suite Certified Practitioner, ~15% for CWE/CWE-1). The credential is heavily concentrated at fintech, SaaS, and consumer-product teams that ship JavaScript-heavy frontends and have large attack surfaces.

Salary bands (India, 2026):

• 2-4 years AppSec + OSWE: ₹18-28 LPA at consultancies (NotSoSecure, Payatu, Lucideus), ₹22-38 LPA at product firms (Razorpay, Cred, Atlassian Bangalore, Microsoft IDC, Adobe NCR, Salesforce Hyderabad).
• 4-7 years AppSec + OSWE + secondary: ₹32-52 LPA at lead AppSec / staff-security-engineer roles.
• 7+ years + OSWE + bug-bounty top-tier: ₹55-90 LPA at principal AppSec / DevSecOps lead roles at unicorns and FAANG GCCs.
• Bug bounty supplement: Top-decile Indian bounty hunters with OSWE report ₹15-50 LPA from HackerOne/Bugcrowd disclosures.

Average time-to-first-offer post-OSWE for candidates already in AppSec roles: 4-8 weeks for upgrades within India product firms; 8-14 weeks for fresh placements. The bootcamp’s placement cell maintains particularly strong relationships with the Indian fintech AppSec hiring pool — most Razorpay / Cred / Slice AppSec hires in 2025 came via referral pipelines that include Macksofy alumni networks.

OSWE vs Burp Suite Certified Practitioner (BSCP): BSCP is PortSwigger’s exam (£99), 4-hour practical, focused on attacks demonstrated in Web Security Academy. Much cheaper, faster, but tests classroom-style vulnerabilities rather than authentic-source-code review. Pick BSCP as a stepping-stone before OSWE — it’s a strong signal that you’ve worked through 200+ academy labs. Pick OSWE for the white-box source-review credential.

OSWE vs GIAC GWAPT (GIAC Web Application Penetration Tester): GWAPT is a 4-hour multiple-choice exam ($979). Theory-heavy, tests recognition rather than execution. Very strong recruiter recognition in US/EU regulated industries (federal contractors, healthcare); weak in India product/fintech. Pick GWAPT if your target market is US federal-contractor AppSec. Pick OSWE everywhere else.

OSWE vs eLearnSecurity eWPTX: eWPTX is the closest hands-on comparator — practical exam, source-code occasionally provided. Recognition in India is moderate; the INE/eLearnSecurity acquisition has slowed certificate updates. Prefer OSWE unless cost is the dominant constraint.

OSWE vs OSCP: Different domains entirely. OSCP is network/infrastructure penetration testing — heavy on enumeration, AD attacks, privilege escalation. OSWE is web-application source-review and exploitation. Most AppSec practitioners hold both; the typical pathway is OSCP first (broader market acceptance), then OSWE 12-18 months later for specialisation.

A representative classroom challenge: an ASP.NET MVC marketplace application with admin panel. The chain that bootcamp drills:

1. Source mapping (45 min): Unzip the app, open in VS Code. Locate AccountController, identify the login flow, map the cookie-issuance code path. Note custom IPrincipal implementation with role-stuffing logic.
2. Authentication bypass discovery (90 min): Trace the cookie-validation code in ApplicationUserManager. Spot a string comparison using == on a user-controlled GUID against a database-stored token, with no time-constant comparison and no token expiry check. Realise that the token is a deterministic hash of (username + creation-time-truncated-to-second). Identify a registration flow that returns the token in a debug header (left enabled in ‘staging’ mode).
3. Exploit script — auth bypass (60 min): Python script that registers a throwaway user, captures the debug header, replays against the admin endpoint with the captured token. Validates session by hitting /admin/dashboard. End-to-end automated.
4. RCE discovery (3 hours): In the admin panel, find a /admin/import-csv endpoint. CSV parsing uses ExcelDataReader. Identify that a CSV with =cmd|’/c calc’!A1 formula injection executes locally — but we want server-side RCE, not client-side. Pivot: search for OleDb usage. Find a /admin/run-report endpoint accepting a ‘connection-string’ query parameter that flows into a SqlDataAdapter — classic SQLi via the connection string itself. Exploit via xp_cmdshell (sa role granted to the application’s SQL user).
5. Exploit script — RCE chain (45 min): Extend the auth-bypass script to POST the malicious connection-string to /admin/run-report, then trigger xp_cmdshell with a reverse-shell payload. Test against fresh app instance — full automation works.
6. Report writeup (45 min): Executive summary, technical attack chain with code snippets pointing to vulnerable lines, business impact, remediation (use HMAC-with-timing-safe-comparison for tokens, never expose debug headers in production, parameterise SQL via prepared statements).

Total time on a familiar-class box: ~8 hours. The exam variant will be on a different stack — but the workflow shape (source map → auth bypass discovery → RCE discovery → automate → report) is identical.

OSWE is the second-hardest OffSec exam after OSEE. Self-assess against this list. Eight-of-twelve is the typical safe baseline.

• Comfortable reading source in at least 2 of: PHP, Node.js, Python, Java, C# (.NET).
• Have written a custom Burp Suite extension or BCheck (Pro experience required).
• Can write a 200-line Python exploit script with requests, threading, and error handling.
• Understand OWASP Top 10 deeply enough to recognise the bug class from a code snippet.
• Have manually exploited (without sqlmap) a boolean-blind SQL injection end-to-end.
• Have read and understood at least one CVE writeup involving a real-world auth bypass (e.g. Confluence CVE-2022-26134 or similar).
• Have used a Java or .NET decompiler (dnSpy, JD-GUI, CFR) on a binary.
• Understand JWT structure deeply — alg-none, alg-confusion, key-confusion, kid-injection.
• Have built or contributed to a web application of any size — front-end framework experience is a plus but not required.
• Understand HTTP request smuggling at a concept level (TE.CL, CL.TE).
• Comfortable debugging XSS attack chains using browser DevTools (call stack, event listeners).
• Can commit 20+ study hours/week consistently for 12 weeks.

OSCP-pass + 12 months of AppSec / pentest field experience is the typical pre-OSWE profile. If you don’t have OSCP, we recommend completing OSCP first or pairing OSWE with our 4-week ‘OSWE Foundations’ bridge module that closes the source-review gap.