OSWE Review

In August 2025, I passed OffSec’s OSWE certification. The certification is challenging and requires a concentrated effort. I’m sharing the resources I found most beneficial to prepare for the exam. Good luck and have fun!

bmdyy

bmdyy is a course creator whose material was helpful for building confidence close to my exam date. I recommend completing his labs inline with WEB-300’s official challenge labs.

• https://github.com/bmdyy/tudo
• https://github.com/bmdyy/testr

HackTheBox Academy

HackTheBox Academy provided me with additional reps to feel comfortable after completing the WEB-300 course material. I enrolled in the Senior Web Penetration Tester path and I particularly enjoyed the following modules:

• Advanced XSS and CSRF Exploitation
• Modern Web Exploitation Techniques
• Blind SQL Injection
• Advanced SQL Injections
• Introduction to Deserialization Attacks
• Intro to Whitebox Pentesting

You’ll note that bmdyy is the author of several of these modules…

rizemon’s Exploit Writing for OSWE

‘Exploit Writing for OSWE’ is a clever collection of Python snippets that will keep your OSWE exploit script sane.

• https://github.com/rizemon/exploit-writing-for-oswe

(NOT) TJNull’s OSWE Box List

I did not use TJNull’s OSWE box list to prepare for the exam. My prep time was limited for the OSWE and I needed the highest return on investment for every study hour. I always favor guided study material over blackbox HackTheBox challenges. That’s what works for me, your results may vary. If you have the time, these boxes could be a good investment.

WEB-300 Challenge Labs

The WEB-300 challenge labs are excellent. Keep an eye on OffSec’s Discord for new challenge lab releases. A new challenge lab released during my OSWE prep time and I would not have known unless I checked Discord.

The challenge labs are at the end of the course, don’t accidentally skip over them like my coworker. Thankfully, they still passed the exam.