Security Penetration Tester Needed
Worldwide
-------------------------------------------------------------------------------- OVERVIEW -------------------------------------------------------------------------------- We run a cloud-hosted, multi-tenant platform for retail/financial- services businesses (inventory, sales, HR, customer records, payments-adjacent workflows, third-party marketplace integrations). Each customer ("tenant") is served from its own subdomain with an isolated database; a separate platform- operator console provisions tenants and manages shared services. The application handles PII and sensitive commercial data across multiple tenants, so before we onboard real customers we want an independent, authorised penetration test - with a particular focus on tenant isolation (one customer must never be able to reach another's data) and the public-facing auth surface. -------------------------------------------------------------------------------- TECH STACK -------------------------------------------------------------------------------- Frontend - React 19 + TypeScript, Vite, single-page app - JWT-based auth with refresh tokens, role-based access (admin/manager/staff), PIN auth, 2FA Backend - Node.js + Express (REST API) - MongoDB / Mongoose - multi-database design: one shared "master" DB plus a separate database per tenant, routed per-request from the subdomain - Redis + BullMQ (background jobs, cross-worker messaging) - JWT + bcrypt; a separate operator auth stack (distinct token secret + mandatory TOTP) for the platform console - Helmet, CSRF tokens, rate limiting, server-side validation, encrypted-at- rest per-tenant credentials - Pino structured logging Infra - Single cloud VM behind Cloudflare; subdomain-per-tenant (wildcard), nginx reverse proxy - Server-side integrations with several third-party APIs (marketplace, freight, training, metal pricing) - WebSocket / SSE real-time channels, file upload + image processing, a headless-Chromium PDF/render sidecar - A companion Android app (Kotlin) uses the same API - mobile testing optional, available as an add-on -------------------------------------------------------------------------------- SCOPE -------------------------------------------------------------------------------- PRIORITY 1 - Multi-tenancy isolation 1. Cross-tenant data access - can a user/token/API key scoped to tenant A read or write tenant B's data? Test the per-request tenant-routing logic, subdomain-to-tenant resolution, and any host-header / spoofing tricks 2. Operator / platform console - privilege boundaries between the operator stack and tenant users; the impersonation feature (can it be abused, replayed, or escalated?); operator-only endpoints reachable by tenant users 3. API keys - prefix-scoped platform / tenant / user keys: scope-confusion, cross-tenant use, rotation/replay 4. Tenant-scoped cookies / CSRF - isolation of sessions and CSRF tokens across subdomains PRIORITY 2 - Authentication & authorization 5. Auth & session - JWT handling, refresh-token rotation/replay, 2FA bypass, PIN auth, idle-timeout/session-fixation, password reset & first-run setup/invite flows 6. Authorization / IDOR - role enforcement (admin/manager/staff), broken object-level authorization, privilege escalation PRIORITY 3 - Application security 7. Injection & input handling - NoSQL (MongoDB) injection, XSS (stored/ reflected), SSRF (esp. via integrations + the headless-Chromium renderer), command/template injection 8. API security - endpoint enumeration, mass assignment, rate-limit/abuse, CSRF coverage, business-logic flaws (incl. the prepaid-billing/balance logic) 9. File upload & processing - malicious files, path traversal, image/PDF processing abuse 10. Sensitive data exposure - PII handling, error/stack-trace leakage, secrets in responses 11. Config & headers - Helmet/CORS, cookie flags, Cloudflare/nginx real-IP and origin handling, TLS posture (config-level) 12. Dependencies - known-vuln packages (informational) -------------------------------------------------------------------------------- TEST ENVIRONMENT -------------------------------------------------------------------------------- We will provide a dedicated multi-tenant staging instance with at least two seeded tenants (so you can actually test cross-tenant isolation), test accounts at each role level, and operator-console access as needed. Do not test against production. Grey-box / source-code access can be provided under NDA for a deeper review - tell us your preference and how it affects pricing. -------------------------------------------------------------------------------- DELIVERABLES -------------------------------------------------------------------------------- - Executive summary (non-technical, for management) - Detailed findings: severity (CVSS or equivalent), affected endpoints, reproduction steps, evidence/PoC, remediation advice - with tenant-isolation findings called out separately and weighted as highest-impact - A short retest of critical/high findings after we patch (please include in your quote) - A 30-minute findings walkthrough call
$800.00
Fixed-price- IntermediateExperience Level
- Remote Job
- Ongoing projectProject Type
Skills and Expertise
Activity on this job
- Proposals:20 to 50
- Last viewed by client:4 weeks ago
- Interviewing:1
- Invites sent:0
- Unanswered invites:0
About the client
- New Zealand5:56 PM
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by