OffSec Web Assessor (OSWA, WEB-200) Practice Test
Prepare for the OffSec Web Assessor exam with free practice tests built around the real hands-on WEB-200 certification. Each test includes 20 questions with a proportional timer of about 4 hours to help you build the patience, methodology, and exploitation mindset needed for long-form web application assessments.
Mixed Set — OffSec Web Assessor (OSWA, WEB-200) Practice Tests
These mixed sets pull questions from the major WEB-200 learning areas, including XSS, cross-origin attacks, SQL injection, SSTI, SSRF, IDOR, command injection, and full web assessment workflow. They are designed to mimic how the real OSWA expects you to chain ideas together instead of solving isolated trivia.
Domain Wise — OffSec Web Assessor (OSWA, WEB-200) Mock Tests
Use these targeted topic-wise tests to focus on one WEB-200 skill area at a time. Each mock test contains 20 questions built around a single offensive web assessment topic so you can sharpen weaknesses before moving back to full mixed practice.
About the OffSec Web Assessor (OSWA) Certification Exam
Everything you need to know about the WEB-200 course, the OSWA exam, eligibility expectations, and the career value of foundational web application assessment skills.
What Is the OSWA?
The OffSec Web Assessor (OSWA) is the certification aligned to WEB-200, OffSec’s Foundational Web Application Assessments with Kali Linux course. OffSec says WEB-200 is organized into 16 modules and 9 challenge labs and is designed to help learners build foundational skills in professional web application assessments. It focuses on discovering, testing, and exploiting common web vulnerabilities in hands-on environments rather than learning only theory. :contentReference[oaicite:1]{index=1}
OSWA is best suited for junior penetration testers, web application testers, bug bounty beginners, security analysts, application security engineers, and anyone who wants a stronger practical foundation in attacking modern web apps. Related information security analyst roles in the United States had a median annual wage of $124,910 in May 2024, according to the U.S. Bureau of Labor Statistics. :contentReference[oaicite:2]{index=2}
Exam Format (2026)
Testing method: Practical, proctored web application assessment exam. :contentReference[oaicite:3]{index=3}
Exam/course code: WEB-200 leading to the OSWA certification. :contentReference[oaicite:4]{index=4}
Targets: 5 independent targets. :contentReference[oaicite:5]{index=5}
Duration: 23 hours 45 minutes for the exam, plus 24 hours to upload documentation. :contentReference[oaicite:6]{index=6}
Question style: Practical exploitation objectives, flags, and reporting requirements rather than standard multiple-choice questions. :contentReference[oaicite:7]{index=7}
Passing score: At least 70 points out of 100. :contentReference[oaicite:8]{index=8}
Resources allowed: Open book, including notes, online resources other than AI chatbots/LLMs with direct prompt access, and the OffSec Learning Platform. :contentReference[oaicite:9]{index=9}
Training price: Course + Cert Bundle is listed at $1,749 with 90 days of access and 1 exam attempt, while Learn One is $2,749/year with 1 year of access and 2 exam attempts. :contentReference[oaicite:10]{index=10}
Eligibility Requirements
Formal prerequisite: None listed publicly for sitting the exam. :contentReference[oaicite:11]{index=11}
Recommended background: OffSec says basic Linux, networking, and scripting skills will help significantly with WEB-200. :contentReference[oaicite:12]{index=12}
Report requirement: You must submit a professional report documenting your attacks step by step and provide proof screenshots for each target. :contentReference[oaicite:13]{index=13}
Retake policy: OffSec says all exams have a cooling-off period. Its current exam retake policy states 4 weeks after a first failed exam, 8 weeks after a second failed exam, and 12 weeks after a third failed exam onward. :contentReference[oaicite:14]{index=14}
Exam validity model: With OffSec bundles and subscriptions, exam-attempt validity depends on the product purchased. :contentReference[oaicite:15]{index=15}
OSWA Objective Weights — WEB-200 Practice Mapping
OffSec publicly lists the WEB-200 course structure and OSWA exam format, but it does not publish a public percentage-weight table for the practical exam objectives on the surfaced official pages. Because your page uses 14 topic-wise tests, the table below uses an even practice mapping across those 14 topics so mixed sets stay balanced and predictable. :contentReference[oaicite:16]{index=16}
| Objective | Topic | Practice Weight |
|---|---|---|
| D1 | Introduction to WEB-200 | 7.1% |
| D2 | Tools | 7.1% |
| D3 | Cross-Site Scripting Introduction and Discovery | 7.1% |
| D4 | Cross-Site Scripting Exploitation and Case Study | 7.1% |
| D5 | Cross-Origin Attacks | 7.1% |
| D6 | Introduction to SQL | 7.1% |
| D7 | SQL Injection | 7.1% |
| D8 | Directory Traversal Attacks | 7.1% |
| D9 | XML External Entities | 7.1% |
| D10 | Server-side Template Injection - Discovery and Exploitation | 7.1% |
| D11 | Command Injection | 7.1% |
| D12 | Server-side Request Forgery | 7.1% |
| D13 | Insecure Direct Object Referencing | 7.1% |
| D14 | Assembling the Pieces: Web Application Assessment Breakdown | 7.1% |
How Our Practice Tests Are Designed
Built around the official WEB-200 scope — OffSec says WEB-200 is organized into 16 modules focused on discovering, testing, and exploiting web vulnerabilities, so these practice tests target the same offensive workflow rather than generic web trivia. :contentReference[oaicite:17]{index=17}
Timer matched to the real exam pace — The live OSWA exam gives you 23 hours and 45 minutes for 5 independent targets. That works out to roughly 4 hours and 45 minutes per target, so each 20-question practice set is timed at about 4 hours to build endurance and methodical thinking. This is an inference based on the official exam duration and target count. :contentReference[oaicite:18]{index=18}
Hands-on attacker mindset — The real exam awards points for flags and requires proof screenshots and professional reporting, so the practice sets emphasize discovery, exploitation logic, and chaining findings together instead of only recognizing definitions. :contentReference[oaicite:19]{index=19}
Tool-aware preparation — OffSec explicitly allows tools such as Burp Suite Professional and SQLi tools like sqlmap and sqlninja on OSWA, so these questions reflect realistic tool-assisted workflows while still focusing on understanding what the tools are doing. :contentReference[oaicite:20]{index=20}
OSWA Exam Preparation Tips
Study Strategy
Master discovery before exploitation: WEB-200 is about finding the right weakness, not only knowing payloads. Spend time on enumeration, parameter mapping, request replay, and understanding app behavior.
Build comfort with web tooling: Burp Suite, browser dev tools, and disciplined note-taking matter because OffSec expects practical work, not memorized theory. :contentReference[oaicite:21]{index=21}
Practice chaining issues: OSWA-style work often becomes easier when you combine several small observations into one path to admin access or deeper compromise.
Test-Taking Strategy
Manage the long exam window: OffSec gives you nearly 24 hours for the exam and another 24 hours for report upload, so plan your pace, breaks, sleep, and documentation strategy before exam day. :contentReference[oaicite:22]{index=22}
Document as you go: The exam guide warns that weak documentation can reduce or eliminate points, so capture screenshots, commands, and exploitation steps while you work. :contentReference[oaicite:23]{index=23}
Use open-book access wisely: Since the exam is open book, organize your notes so you can quickly find payloads, syntax, and methodology without losing momentum. :contentReference[oaicite:24]{index=24}
Frequently Asked Questions
Ready to Test Your OSWA Skills?
Start with a mixed set to measure your readiness, then use topic-wise tests to sharpen the exact web vulnerabilities and workflows you need for WEB-200.
Start OffSec OSWA Practice Test 1 →