OffSec Certification

OffSec Web Assessor (OSWA, WEB-200) Practice Test

Prepare for the OffSec Web Assessor exam with free practice tests built around the real hands-on WEB-200 certification. Each test includes 20 questions with a proportional timer of about 4 hours to help you build the patience, methodology, and exploitation mindset needed for long-form web application assessments.

19Practice Tests
380Total Questions
14Objectives Covered
100%Free Forever

Mixed Set — OffSec Web Assessor (OSWA, WEB-200) Practice Tests

These mixed sets pull questions from the major WEB-200 learning areas, including XSS, cross-origin attacks, SQL injection, SSTI, SSRF, IDOR, command injection, and full web assessment workflow. They are designed to mimic how the real OSWA expects you to chain ideas together instead of solving isolated trivia.

Domain Wise — OffSec Web Assessor (OSWA, WEB-200) Mock Tests

Use these targeted topic-wise tests to focus on one WEB-200 skill area at a time. Each mock test contains 20 questions built around a single offensive web assessment topic so you can sharpen weaknesses before moving back to full mixed practice.

D1
Introduction to WEB-200
Course mindset, web assessment workflow, target scoping, challenge-machine expectations, and the practical thinking style used throughout OSWA preparation
Approx. 7.1% Practice Weight Start Test →
D2
Tools
Burp Suite, browser tooling, proxies, enumeration helpers, payload handling, request manipulation, and general tester efficiency in web environments
Approx. 7.1% Practice Weight Start Test →
D3
Cross-Site Scripting Introduction and Discovery
JavaScript basics, reflection points, stored and reflected XSS discovery, context analysis, and identifying injection opportunities safely and methodically
Approx. 7.1% Practice Weight Start Test →
D4
Cross-Site Scripting Exploitation and Case Study
Payload refinement, session abuse, browser-side impact, realistic case-study exploitation, and using XSS beyond simple alert-box demonstrations
Approx. 7.1% Practice Weight Start Test →
D5
Cross-Origin Attacks
Same-origin policy, CORS weaknesses, CSRF-style logic, browser trust boundaries, and abuse paths that rely on cross-origin behavior
Approx. 7.1% Practice Weight Start Test →
D6
Introduction to SQL
SQL basics, query logic, database interaction patterns, and the foundational knowledge needed to understand injection behavior and error conditions
Approx. 7.1% Practice Weight Start Test →
D7
SQL Injection
Discovery, manual exploitation, authentication bypass, data extraction, union and blind techniques, and practical use of allowed SQLi tooling
Approx. 7.1% Practice Weight Start Test →
D8
Directory Traversal Attacks
Path normalization issues, file access abuse, traversal payloads, filter bypasses, and using file disclosure to support larger exploitation chains
Approx. 7.1% Practice Weight Start Test →
D9
XML External Entities
XML parser behavior, entity expansion, local file disclosure, SSRF-style side effects, and secure versus insecure XML processing patterns
Approx. 7.1% Practice Weight Start Test →
D10
Server-side Template Injection - Discovery and Exploitation
Template engine discovery, expression injection, sandbox escape ideas, code execution paths, and framework-aware exploitation techniques
Approx. 7.1% Practice Weight Start Test →
D11
Command Injection
Shell metacharacters, OS command abuse, blind output handling, command chaining, environment-aware payloads, and post-exploitation thinking
Approx. 7.1% Practice Weight Start Test →
D12
Server-side Request Forgery
Internal service access, metadata targeting, protocol tricks, URL parser abuse, and chaining SSRF into broader compromise opportunities
Approx. 7.1% Practice Weight Start Test →
D13
Insecure Direct Object Referencing
Broken object-level authorization, identifier tampering, access control testing, record enumeration, and privilege abuse through weak authorization checks
Approx. 7.1% Practice Weight Start Test →
D14
Assembling the Pieces: Web Application Assessment Breakdown
End-to-end methodology, enumeration sequencing, issue prioritization, vulnerability chaining, and turning scattered findings into a complete assessment path
Approx. 7.1% Practice Weight Start Test →

About the OffSec Web Assessor (OSWA) Certification Exam

Everything you need to know about the WEB-200 course, the OSWA exam, eligibility expectations, and the career value of foundational web application assessment skills.

What Is the OSWA?

The OffSec Web Assessor (OSWA) is the certification aligned to WEB-200, OffSec’s Foundational Web Application Assessments with Kali Linux course. OffSec says WEB-200 is organized into 16 modules and 9 challenge labs and is designed to help learners build foundational skills in professional web application assessments. It focuses on discovering, testing, and exploiting common web vulnerabilities in hands-on environments rather than learning only theory. :contentReference[oaicite:1]{index=1}

OSWA is best suited for junior penetration testers, web application testers, bug bounty beginners, security analysts, application security engineers, and anyone who wants a stronger practical foundation in attacking modern web apps. Related information security analyst roles in the United States had a median annual wage of $124,910 in May 2024, according to the U.S. Bureau of Labor Statistics. :contentReference[oaicite:2]{index=2}

Exam Format (2026)

Testing method: Practical, proctored web application assessment exam. :contentReference[oaicite:3]{index=3}

Exam/course code: WEB-200 leading to the OSWA certification. :contentReference[oaicite:4]{index=4}

Targets: 5 independent targets. :contentReference[oaicite:5]{index=5}

Duration: 23 hours 45 minutes for the exam, plus 24 hours to upload documentation. :contentReference[oaicite:6]{index=6}

Question style: Practical exploitation objectives, flags, and reporting requirements rather than standard multiple-choice questions. :contentReference[oaicite:7]{index=7}

Passing score: At least 70 points out of 100. :contentReference[oaicite:8]{index=8}

Resources allowed: Open book, including notes, online resources other than AI chatbots/LLMs with direct prompt access, and the OffSec Learning Platform. :contentReference[oaicite:9]{index=9}

Training price: Course + Cert Bundle is listed at $1,749 with 90 days of access and 1 exam attempt, while Learn One is $2,749/year with 1 year of access and 2 exam attempts. :contentReference[oaicite:10]{index=10}

Eligibility Requirements

Formal prerequisite: None listed publicly for sitting the exam. :contentReference[oaicite:11]{index=11}

Recommended background: OffSec says basic Linux, networking, and scripting skills will help significantly with WEB-200. :contentReference[oaicite:12]{index=12}

Report requirement: You must submit a professional report documenting your attacks step by step and provide proof screenshots for each target. :contentReference[oaicite:13]{index=13}

Retake policy: OffSec says all exams have a cooling-off period. Its current exam retake policy states 4 weeks after a first failed exam, 8 weeks after a second failed exam, and 12 weeks after a third failed exam onward. :contentReference[oaicite:14]{index=14}

Exam validity model: With OffSec bundles and subscriptions, exam-attempt validity depends on the product purchased. :contentReference[oaicite:15]{index=15}

OSWA Objective Weights — WEB-200 Practice Mapping

OffSec publicly lists the WEB-200 course structure and OSWA exam format, but it does not publish a public percentage-weight table for the practical exam objectives on the surfaced official pages. Because your page uses 14 topic-wise tests, the table below uses an even practice mapping across those 14 topics so mixed sets stay balanced and predictable. :contentReference[oaicite:16]{index=16}

ObjectiveTopicPractice Weight
D1Introduction to WEB-2007.1%
D2Tools7.1%
D3Cross-Site Scripting Introduction and Discovery7.1%
D4Cross-Site Scripting Exploitation and Case Study7.1%
D5Cross-Origin Attacks7.1%
D6Introduction to SQL7.1%
D7SQL Injection7.1%
D8Directory Traversal Attacks7.1%
D9XML External Entities7.1%
D10Server-side Template Injection - Discovery and Exploitation7.1%
D11Command Injection7.1%
D12Server-side Request Forgery7.1%
D13Insecure Direct Object Referencing7.1%
D14Assembling the Pieces: Web Application Assessment Breakdown7.1%

How Our Practice Tests Are Designed

Built around the official WEB-200 scope — OffSec says WEB-200 is organized into 16 modules focused on discovering, testing, and exploiting web vulnerabilities, so these practice tests target the same offensive workflow rather than generic web trivia. :contentReference[oaicite:17]{index=17}

Timer matched to the real exam pace — The live OSWA exam gives you 23 hours and 45 minutes for 5 independent targets. That works out to roughly 4 hours and 45 minutes per target, so each 20-question practice set is timed at about 4 hours to build endurance and methodical thinking. This is an inference based on the official exam duration and target count. :contentReference[oaicite:18]{index=18}

Hands-on attacker mindset — The real exam awards points for flags and requires proof screenshots and professional reporting, so the practice sets emphasize discovery, exploitation logic, and chaining findings together instead of only recognizing definitions. :contentReference[oaicite:19]{index=19}

Tool-aware preparation — OffSec explicitly allows tools such as Burp Suite Professional and SQLi tools like sqlmap and sqlninja on OSWA, so these questions reflect realistic tool-assisted workflows while still focusing on understanding what the tools are doing. :contentReference[oaicite:20]{index=20}

OSWA Exam Preparation Tips

Study Strategy

Master discovery before exploitation: WEB-200 is about finding the right weakness, not only knowing payloads. Spend time on enumeration, parameter mapping, request replay, and understanding app behavior.

Build comfort with web tooling: Burp Suite, browser dev tools, and disciplined note-taking matter because OffSec expects practical work, not memorized theory. :contentReference[oaicite:21]{index=21}

Practice chaining issues: OSWA-style work often becomes easier when you combine several small observations into one path to admin access or deeper compromise.

Test-Taking Strategy

Manage the long exam window: OffSec gives you nearly 24 hours for the exam and another 24 hours for report upload, so plan your pace, breaks, sleep, and documentation strategy before exam day. :contentReference[oaicite:22]{index=22}

Document as you go: The exam guide warns that weak documentation can reduce or eliminate points, so capture screenshots, commands, and exploitation steps while you work. :contentReference[oaicite:23]{index=23}

Use open-book access wisely: Since the exam is open book, organize your notes so you can quickly find payloads, syntax, and methodology without losing momentum. :contentReference[oaicite:24]{index=24}

Frequently Asked Questions

How long is the real OffSec OSWA exam?+
The OSWA exam gives you 23 hours and 45 minutes to complete the hands-on assessment, and then you have another 24 hours to upload your documentation.
How many targets are on the OSWA exam?+
The exam consists of 5 independent targets, each with required proof files and documentation expectations.
What score do I need to pass OSWA?+
You must achieve at least 70 points out of 100 to pass the exam.
Are these OffSec OSWA practice tests free?+
Yes. All OffSec Web Assessor practice tests on Security Practice Test are completely free, including both mixed sets and topic-wise mock tests.
Is the OSWA exam open book?+
Yes. OffSec says the OSWA exam is open book, and you may use notes, online resources other than AI chatbots or LLMs with direct prompt access, and the OffSec Learning Platform.
Do I need prior experience before taking WEB-200 or OSWA?+
There is no formal prerequisite listed publicly, but OffSec says basic Linux, networking, and scripting skills help significantly with WEB-200.
Can I use Burp Suite Professional or sqlmap on the OSWA exam?+
Yes. OffSec says Burp Suite Professional is allowed, and sqlmap, sqlninja, and similar SQL injection tools are also allowed, although they are not required to pass.
What is the OSWA retake policy?+
OffSec says all exams have a cooling-off period. Its current retake policy states 4 weeks after the first failed exam, 8 weeks after the second failed exam, and 12 weeks after the third failed exam onward.

Ready to Test Your OSWA Skills?

Start with a mixed set to measure your readiness, then use topic-wise tests to sharpen the exact web vulnerabilities and workflows you need for WEB-200.

Start OffSec OSWA Practice Test 1 →

Authors

  • Security Practice Test Editorial Team

    Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.

  • Sudhanshu Thakur - Reviewer

    Enterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.