100+ Free OSWA Practice Questions

Pass your OffSec Web Assessor (OSWA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~60-70% first attempt (community estimate) Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which OWASP Top 10 2021 category covers SSRF attacks exploiting a server to make requests to internal services?

A01: Broken Access Control

A10: Server-Side Request Forgery

A03: Injection

A05: Security Misconfiguration

to track

2026 Statistics

Key Facts: OSWA Exam

24 hrs

Exam Duration

OffSec (23h45m practical)

70/100

Passing Score

OffSec

Exam Targets

OffSec

$2,499

Learn One Price

OffSec annual

3 yrs

Validity

OffSec (since 2023)

200-level

Difficulty

OffSec foundational web

The OSWA exam is NOT multiple choice — it is a 23h45m hands-on web-pentest lab with 5 independent targets. Each target has local.txt and proof.txt files you must capture by exploiting web vulnerabilities, then 24 hours to submit a professional report. You need 70 of 100 points to pass. Our 100 practice questions on this site build the underlying knowledge (OWASP Top 10, Burp, SQLi/XSS/SSRF payloads, auth flaws) — they do NOT replicate the exam. Certification is valid 3 years.

Sample OSWA Practice Questions

Try these sample questions to test your OSWA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which OWASP Top 10 2021 category covers SSRF attacks exploiting a server to make requests to internal services?

A.A01: Broken Access Control

B.A10: Server-Side Request Forgery

C.A03: Injection

D.A05: Security Misconfiguration

Explanation: SSRF is its own category — A10 — in OWASP Top 10 2021, reflecting its growing prominence in cloud breaches (AWS metadata theft, internal port scans). A01 is broken access, A03 is injection, A05 is misconfiguration.

2Which URL is the canonical AWS EC2 metadata endpoint targeted by SSRF exploits?

A.http://169.254.169.254/latest/meta-data/

B.http://127.0.0.1:8080

C.http://localhost:3306

D.http://aws.amazon.com/meta-data/

Explanation: AWS EC2 (and similar on GCP/Azure) exposes instance metadata at 169.254.169.254 (link-local). SSRF to this endpoint can retrieve IAM role credentials. IMDSv2 mitigates by requiring a session token via PUT. The other URLs are unrelated.

3Which SQL payload is a classic UNION-based extraction of a database's version string from a vulnerable parameter?

A.' UNION SELECT NULL, @@version, NULL --

B.SELECT 1/0

C.DROP TABLE users

D.INSERT INTO logs VALUES('x')

Explanation: UNION-based SQLi appends a SELECT with matching column count and types, surfacing database metadata like @@version on MySQL/SQL Server or version() on PostgreSQL. 1/0 is an error trigger; DROP/INSERT are destructive and not for leaking data via UNION.

4Which Burp Suite tool is used to replay and modify a single HTTP request repeatedly for manual testing?

A.Repeater

B.Intruder

C.Collaborator

D.Scanner

Explanation: Burp Repeater replays modified requests one at a time — the single most-used exploit tool in Burp. Intruder automates parameter fuzzing; Collaborator performs OOB interactions; Scanner is the automated vuln scanner (Pro only).

5Which NoSQL injection payload bypasses a simple {username, password} authentication in MongoDB?

A.{"username": "admin", "password": {"$ne": null}}

B.{username: null}

C.DROP COLLECTION

D.SELECT * FROM users

Explanation: MongoDB operator injection replaces a string value with an operator object like $ne (not equal). {$ne: null} matches any non-null password, bypassing auth. SQL syntax does not apply; `DROP COLLECTION` is not an injection payload.

6Which XSS sub-type executes payload via client-side JavaScript writing tainted data into the DOM (e.g., document.write, innerHTML) without server echoing?

A.DOM-based XSS

B.Reflected XSS

C.Stored XSS

D.mXSS

Explanation: DOM-based XSS stems from client-side JS mishandling sources (location.hash, document.URL) into sinks (innerHTML, eval, document.write). Server doesn't echo the payload. Reflected/stored XSS involve server responses. mXSS is mutation XSS — narrower.

7Which Burp feature helps exfiltrate data via DNS/HTTP OOB during blind XXE or SSRF attacks?

A.Burp Collaborator

B.Burp Decoder

C.Burp Proxy

D.Burp Target

Explanation: Burp Collaborator provides unique subdomains and HTTP callback URLs; blind XXE/SSRF/RCE exploits trigger interactions to Collaborator, which displays them. Decoder encodes/decodes; Proxy intercepts; Target maps the site.

8Which XXE OOB payload uses an external DTD to exfiltrate /etc/passwd via an attacker-controlled server?

A.Parameter-entity chain fetching a DTD that defines %send; with data in URL

B.<html><body>xss</body></html>

C.DROP TABLE

D.printf(%s)

Explanation: OOB XXE uses DTD parameter entities: the attacker serves a DTD referencing an ENTITY that includes file:///etc/passwd, then wraps its value into a URL fetched back to the attacker's server via %send; The other options are unrelated.

9Which JWT vulnerability allows forging tokens by setting alg=none?

A.alg=none: some libraries accept unsigned tokens when alg=none — allowing attackers to modify the payload freely

B.alg=HS256 is insecure

C.RS256 is always broken

D.JWT cannot be forged

Explanation: alg=none was a historical JWT bug — libraries accepted tokens claiming 'no signature required' as valid. Modern libraries reject it, but occasional misconfigurations persist. HS256/RS256 are legitimate algorithms when properly implemented.

10Which command-line tool automates SQL injection discovery and exploitation?

A.sqlmap

B.nmap

C.hydra

D.john

Explanation: sqlmap automates detection, enumeration, and exploitation of SQLi across many DBMS. It supports UNION, boolean, time-based, error-based, and stacked techniques. nmap is network scan, hydra is login brute-force, john is hash cracking.

About the OSWA Exam

The OffSec Web Assessor (OSWA) is OffSec's foundational web application penetration testing certification tied to the WEB-200 course. It validates the ability to discover and exploit common web vulnerabilities — XSS, SQLi, SSRF, XXE, auth bypass, IDOR, file upload, SSTI, LFI/RFI, deserialization — using Burp Suite and Kali Linux.

Questions

5 scored questions

Time Limit

23 hours 45 minutes + 24 hours reporting

Passing Score

70/100 points

Exam Fee

$2,499 (Learn One annual subscription) (OffSec (Offensive Security))

OSWA Exam Content Outline

Core

Injection Attacks (SQLi, NoSQLi, Command, SSTI)

UNION/blind/time-based/stacked SQLi, SQLMap automation, MongoDB $ne/$gt/$regex operators, Jinja2/Twig/FreeMarker template injection, OS command injection, PHP filter chains

Core

Client-Side & Cross-Site (XSS, CSRF, CORS)

Reflected/stored/DOM XSS, CSP bypass, postMessage abuse, BeEF hooks, CSRF vs SameSite cookies, CORS misconfiguration, prototype pollution

Core

Server-Side & File-Based (SSRF, XXE, LFI/RFI, Upload)

AWS metadata (169.254.169.254) vs IMDSv2, GCP metadata, XXE with external DTD + OOB via Burp Collaborator, php://filter LFI, ZIP wrapper RCE, log poisoning, file upload bypasses (extension, MIME, polyglot)

Core

Auth, Access Control & APIs

JWT none-alg / kid-injection / weak secret, OAuth misconfig, IDOR, race conditions, GraphQL introspection abuse, REST parameter tampering, Burp Suite (Repeater, Intruder, Collaborator, Autorize, JWT Editor)

How to Pass the OSWA Exam

What You Need to Know

Passing score: 70/100 points
Exam length: 5 questions
Time limit: 23 hours 45 minutes + 24 hours reporting
Exam fee: $2,499 (Learn One annual subscription)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

OSWA Study Tips from Top Performers

1Own Burp Suite Community: Repeater, Intruder, Collaborator, Decoder, match-and-replace rules

2Complete all free PortSwigger Web Security Academy labs — they map directly to OSWA topics

3Memorize cloud metadata endpoints: 169.254.169.254 (AWS classic), IMDSv2 headers, GCP, Azure

4Build payload muscle memory: ' OR 1=1--, <script>, ${jndi:ldap://}, {{7*7}}, ../../etc/passwd

5Learn Burp Collaborator for blind XXE / SSRF OOB exfiltration — it is essential on the exam

6Understand JWT alg=none, alg-confusion (RS256 -> HS256), kid injection, and weak HS256 secrets

7These are knowledge checks — the real exam is 24 hours of hands-on exploitation

Frequently Asked Questions

Is the OSWA exam multiple choice?

No. The OSWA exam is a fully practical 23h45m hands-on web-pentest lab. You face 5 independent target web applications and must capture local.txt (lower privilege) and proof.txt (final proof) flags by finding and exploiting real vulnerabilities. Then you have 24 hours to submit a professional report. Our 100 practice questions on this site cover the underlying knowledge (OWASP Top 10, Burp workflows, payloads, Kali tools) — they do not replicate the exam.

What is the OSWA passing score?

You need 70 out of 100 points to pass. Points come from successfully capturing local.txt and proof.txt on the 5 exam targets and documenting the exploitation chain in the report.

What topics are on the OSWA / WEB-200?

OWASP Top 10 2021 categories (broken access, crypto failures, injection, insecure design, misconfig, vulnerable components, auth failures, integrity failures, logging failures, SSRF), plus Burp Suite, SQLMap, XSS variants, XXE with OOB exfiltration, SSRF to cloud metadata, JWT flaws, IDOR, file upload bypass, SSTI, deserialization (Java/PHP/.NET/Python), and API/GraphQL issues.

Is OSWA a good starting point for web pentesting?

Yes. OSWA (WEB-200) is OffSec's foundational web-pentest certification and is less advanced than OSWE (WEB-300), which focuses on white-box source-code review and chained custom exploits. OSWA is black-box exploitation of common classes — ideal for aspiring web pentesters or bug-bounty hunters.

Do I need to write custom exploits for OSWA?

OSWA is primarily black-box exploitation using Burp Suite, curl, SQLMap, and payloads from your own playbook. You will script some attacks in Python (JWT forging, blind injection timing), but building zero-day custom exploits from source code is OSWE territory, not OSWA.

How should I use these practice questions?

Treat them as knowledge validators for WEB-200 modules. Weak answers on Burp Collaborator usage, JWT vulnerabilities, SSRF cloud metadata URLs, file upload bypass techniques, or SSTI payloads point back to the lab exercises. Hands-on practice on PortSwigger Web Security Academy is the natural complement.