OSWE : My Journey & Review

Astik Rawat
7 min readDec 20, 2022

Hi, I am finally back after so many months! I wanted to share my honest review on Offensive Security Web Expert (OSWE) as this one took me a while to finish it. It was called AWAE i.e. Advance Web Attack and Exploitation in past. This was one of the longest proctor exam I have ever given till to this date. As always I wanted to share my personal experience and review with whole course and it’s material.

Note: If you don’t wanna go with the whole blog I would suggest do read all my attempts and personal tips. I hope it would be enough if you are going for the exam soon.


Before going for OSWE, just wanna let you know my experience with Penetration Testing just with Web Application. I have already done Burp Suite Certified Professional (BSCP) and some hands on experience with Webapp CTFs challenges. If you are someone who wants to get into web application penetration testing, I would definitely suggest going with Port Swigger Academy as it teaches you so much about vulnerabilities when comes to web app. As OSWE is more on White box that is source code reading and understanding the code, BSCP is more on black box web app testing with understanding the methodology to find a vulnerability on Web Application.


As usual try to keep notes on part of web application where you find it difficult and it is normal to keep notes on part with reference where you find it confusing. You need to learn one scripting language like python, ruby, etc. You need to understand one of the scripting language as you need you make a proof of concept (poc) script for the exam which does all the exploitation of the web app when you run it.


As someone who had background more focused on Network Security side than Web Developing it was little tough to make good progress in the start. I did some Java programming back in high school, but it wasn’t good enough to understand the website infrastructure for me. So I had to start with understanding the fundamentals of many programming languages. Starting with creating a basic form page and redirection to another page.

The following charts are referenced from Nathan Rague’s OSWE blog…



Astik Rawat

Security Consultant | OSWE | OSCP | OSWP | CRT | BSCP | PNPT | eMAPT | PJPT | CPENT | eJPT | CEH Master | CPSA | Network+ | Multiple CVEs