Include screenshots of your web proxy (Burp Suite) showing the payloads.
Double-check that every target's local.txt and proof.txt contents match your screenshots perfectly.
If the reviewer can't read the flag, it doesn't count.
Do not wait until the 48 hours are over to start your report. Take screenshots of every successful step immediately.
A high-level overview of the engagement, written for non-technical stakeholders, summarizing the vulnerabilities found and the overall security posture of the tested environments.
Use the official OSWE exam report template for your documentation. After writing your report, compress it as a .7z file for assessment. The submission must occur within 24 hours of completing the exam period.
Ensure your script accepts the target IP/URL and local port as command-line arguments instead of hardcoding them. This proves the exploit is dynamic.
