OffSec Web Assessor

IntermediatePenetration TestingPaid

OffSec's black-box web application penetration testing certification. Covers OWASP Top 10 vulnerabilities, client-side attacks, API testing, and authentication vulnerabilities. Less advanced than OSWE but directly targets web application pentest roles. Does not expire.

What you'll prove

Identify and exploit OWASP Top 10 vulnerabilities in black-box assessments
Perform authentication and authorization testing on web applications
Test REST APIs and GraphQL endpoints for security vulnerabilities
Exploit client-side vulnerabilities including XSS and CSRF
Document web application vulnerabilities in professional pentest reports

Frequently asked

OSWA vs OSWE — which should I get?

OSWA is black-box web testing — finding and exploiting vulns in a target app. OSWE is white-box — reviewing source code to find and develop exploits. OSWA is the better starting cert for web pentest roles; OSWE is for advanced AppSec specialists.