How I Passed the OSWA After Three Failures: My Journey & Tips for Success

Failing three times before finally passing the OffSec Web Assessor (OSWA) exam on my fourth attempt was a journey of grit, resilience, and learning. In this blog article, I’ll share my entire OSWA experience, covering the course, labs, exam, and the lessons I learned. Whether you’re looking to pursue this certification or just curious about its challenges, this comprehensive guide will help you decide if the OSWA is right for your goals.

Related Video:

What Is OSWA?

The OSWA certification is tied to OffSec’s Web 200 course, officially named Foundational Web Application Assessments with Kali Linux. This course is designed to teach the foundational skills necessary for web application penetration testing, including:

• SQL Injection

• Cross-Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF)

• Server-Side Template Injection (SSTI)

• Server-Side Request Forgery (SSRF)

• Directory Traversals

• XML External Entity Attacks (XXE)

  
  

You’ll also become proficient with tools like Burp Suite, a cornerstone for web application testing. By the end of the course, you’ll have the foundational knowledge needed to confidently tackle real-world web application assessments.

How Does OSWA Compare to OSCP?

The OSWA is focused exclusively on web application penetration testing, unlike the OSCP (OffSec Certified Professional), which emphasizes network penetration testing with some coverage of web vulnerabilities. While the OSCP includes topics like SQL injection, it doesn’t deeply examine web application testing methodologies. For those looking to specialize in web app security, the OSWA is an ideal supplement to the OSCP.

The Challenge Labs: A Missed Opportunity

One of my biggest disappointments with the OSWA course is the limited number of challenge labs—just nine vulnerable web applications (they added one more after I made my YouTube video). In contrast, the OSCP offers over 60 vulnerable machines, along with three full mock exams. This abundance of resources significantly contributed to my success with the OSCP on my first attempt, as I completed 40 machines before taking the exam.

With OSWA, the limited practice options meant I often felt underprepared. Many students in the community recommend supplementing the OSWA labs with external resources to gain additional practice.

The OSWA Exam: Structure and Challenges

The OSWA exam closely mirrors the OSCP’s structure. You’ll have:

• 23 hours and 45 minutes to complete the exam

• 24 additional hours to write and submit your report

  
  

The exam consists of five vulnerable web applications, each with two flags. To pass, you need to achieve a score of 70% or higher (7 out of 10 flags).

Here’s how it works:

1. Gain access to the administrator dashboard of each application to retrieve the first flag.

2. Obtain initial access to the underlying operating system hosting the application to retrieve the second flag.

   
   

Unlike the OSCP, OSWA does not require privilege escalation to root or system administrator—once you achieve initial access, you’re done. While this simplifies the exam, testing five web applications in 24 hours is a demanding task. In the real world, testing a single application can take a week or more, making the time constraints a significant challenge.

My Personal OSWA Journey: A Story of Resilience

First Attempt: A Learning Experience

Going into my first exam attempt, I was underprepared due to the limited labs. While failing wasn’t unexpected, it gave me valuable insights into the exam’s structure and difficulty. I treated it as a learning opportunity and remained optimistic about my next attempt.

Second Attempt: A Major Distraction

During my second attempt, I faced a significant personal distraction—I received and signed a job offer for my current company on the same day. Between reading the employee handbook and completing onboarding paperwork, I couldn’t give the exam my full attention. Though I failed, it was still a memorable and joyous day as it marked my successful transition from the military to civilian life.

Third Attempt: A Humbling Defeat

Six months passed before my third attempt, a period filled with personal challenges, including a cross-country move, a breakup, and adjusting to my new job. Despite revisiting the course, I failed again. This time, the defeat shook my confidence. I questioned my abilities, my career path, and whether I was truly cut out to be a web application pentester.

Fourth Attempt: A Mental Shift

My fourth attempt marked a turning point. Two critical mindset shifts made all the difference:

1. Submitting a Report Regardless of Outcome: Writing and submitting a report for feedback is invaluable. Though I skipped this step in my first three attempts, I decided to do it for my fourth, even if I failed.

2. Sticking to the Basics: Instead of overcomplicating my approach, I focused on the fundamental methodologies taught in the course. This shift unlocked the solutions I had been missing.

   
   

The result? Success. Passing the OSWA on my fourth attempt was a deeply satisfying moment that reinforced my determination and resilience.

How to Pass OSWA: My Tips For Success

Here are my top recommendations for anyone pursuing the OSWA certification:

1. Stick to the Basics: Trust the methodologies taught in the course. Don’t overthink or overcomplicate your approach.

2. Practice Thoroughly: Test everything more than once, tweak your approach slightly, and rerun commands to catch minor errors.

3. Minimize Hand-Holding: Avoid relying too heavily on course walkthroughs. Tackle labs independently before seeking hints or solutions.

4. Struggle Before Seeking Help: Extend your struggle period to 3–5 hours before asking for assistance. The learning happens in the struggle.

5. Avoid Long Gaps in Study: Complete the course in one focused go to avoid losing momentum.

   
   

Is OSWA Worth It?

The answer depends on your goals. If you’re aiming for higher-level OffSec certifications like OSWE (Web Expert), the OSWA is a valuable stepping stone. However, for those on a budget, certifications like TCM Security’s PWPA (Practical Web Penetration Tester Associate) offer similar knowledge at a fraction of the cost.

Final Thoughts

Passing the OSWA after three failures was one of the most humbling experiences of my career. It tested my resilience, challenged my ego, and ultimately made me a better professional. If you’re considering this certification, I hope my journey and tips inspire you to persevere. Remember, failure isn’t the end—it’s just part of the process.

If you’re interested in more tips, check out my story of passing the OSCP on my first try. It’s my most popular blog post and is packed with insights to help you succeed. Keep learning, keep growing, and never give up.