Security Penetration Tester Needed

Posted 4 weeks ago

Worldwide

Summary

-------------------------------------------------------------------------------- OVERVIEW -------------------------------------------------------------------------------- We run a cloud-hosted, multi-tenant platform for retail/financial- services businesses (inventory, sales, HR, customer records, payments-adjacent workflows, third-party marketplace integrations). Each customer ("tenant") is served from its own subdomain with an isolated database; a separate platform- operator console provisions tenants and manages shared services. The application handles PII and sensitive commercial data across multiple tenants, so before we onboard real customers we want an independent, authorised penetration test - with a particular focus on tenant isolation (one customer must never be able to reach another's data) and the public-facing auth surface. -------------------------------------------------------------------------------- TECH STACK -------------------------------------------------------------------------------- Frontend - React 19 + TypeScript, Vite, single-page app - JWT-based auth with refresh tokens, role-based access (admin/manager/staff), PIN auth, 2FA Backend - Node.js + Express (REST API) - MongoDB / Mongoose - multi-database design: one shared "master" DB plus a separate database per tenant, routed per-request from the subdomain - Redis + BullMQ (background jobs, cross-worker messaging) - JWT + bcrypt; a separate operator auth stack (distinct token secret + mandatory TOTP) for the platform console - Helmet, CSRF tokens, rate limiting, server-side validation, encrypted-at- rest per-tenant credentials - Pino structured logging Infra - Single cloud VM behind Cloudflare; subdomain-per-tenant (wildcard), nginx reverse proxy - Server-side integrations with several third-party APIs (marketplace, freight, training, metal pricing) - WebSocket / SSE real-time channels, file upload + image processing, a headless-Chromium PDF/render sidecar - A companion Android app (Kotlin) uses the same API - mobile testing optional, available as an add-on -------------------------------------------------------------------------------- SCOPE -------------------------------------------------------------------------------- PRIORITY 1 - Multi-tenancy isolation 1. Cross-tenant data access - can a user/token/API key scoped to tenant A read or write tenant B's data? Test the per-request tenant-routing logic, subdomain-to-tenant resolution, and any host-header / spoofing tricks 2. Operator / platform console - privilege boundaries between the operator stack and tenant users; the impersonation feature (can it be abused, replayed, or escalated?); operator-only endpoints reachable by tenant users 3. API keys - prefix-scoped platform / tenant / user keys: scope-confusion, cross-tenant use, rotation/replay 4. Tenant-scoped cookies / CSRF - isolation of sessions and CSRF tokens across subdomains PRIORITY 2 - Authentication & authorization 5. Auth & session - JWT handling, refresh-token rotation/replay, 2FA bypass, PIN auth, idle-timeout/session-fixation, password reset & first-run setup/invite flows 6. Authorization / IDOR - role enforcement (admin/manager/staff), broken object-level authorization, privilege escalation PRIORITY 3 - Application security 7. Injection & input handling - NoSQL (MongoDB) injection, XSS (stored/ reflected), SSRF (esp. via integrations + the headless-Chromium renderer), command/template injection 8. API security - endpoint enumeration, mass assignment, rate-limit/abuse, CSRF coverage, business-logic flaws (incl. the prepaid-billing/balance logic) 9. File upload & processing - malicious files, path traversal, image/PDF processing abuse 10. Sensitive data exposure - PII handling, error/stack-trace leakage, secrets in responses 11. Config & headers - Helmet/CORS, cookie flags, Cloudflare/nginx real-IP and origin handling, TLS posture (config-level) 12. Dependencies - known-vuln packages (informational) -------------------------------------------------------------------------------- TEST ENVIRONMENT -------------------------------------------------------------------------------- We will provide a dedicated multi-tenant staging instance with at least two seeded tenants (so you can actually test cross-tenant isolation), test accounts at each role level, and operator-console access as needed. Do not test against production. Grey-box / source-code access can be provided under NDA for a deeper review - tell us your preference and how it affects pricing. -------------------------------------------------------------------------------- DELIVERABLES -------------------------------------------------------------------------------- - Executive summary (non-technical, for management) - Detailed findings: severity (CVSS or equivalent), affected endpoints, reproduction steps, evidence/PoC, remediation advice - with tenant-isolation findings called out separately and weighted as highest-impact - A short retest of critical/high findings after we patch (please include in your quote) - A 30-minute findings walkthrough call

  • $800.00

    Fixed-price
  • Intermediate
    Experience Level
  • Remote Job
  • Ongoing project
    Project Type
Skills and Expertise
Mandatory skills
Network Security
Security Analysis
Nice-to-have skills
Information Security
Internet Security
Activity on this job
  • Proposals:20 to 50
  • Last viewed by client:4 weeks ago
  • Interviewing:
    1
  • Invites sent:
    0
  • Unanswered invites:
    0
About the client
Member since Jun 12, 2026
  • New Zealand
    5:56 PM

Explore similar jobs on Upwork

UK Cybersecurity Sales ProfessionalHourly‐ Posted 3 weeks ago
Sales
Phone Communication
Telemarketing
Cold Calling
Help with cyber security photoshopHourly‐ Posted 9 months ago
Penetration Testing
System Security
Cybersecurity Management
Vulnerability Assessment
Security Assessment & Testing
Network Penetration Testing
Testing
Software Testing
Ethical Hacking
Threat Detection

How it works

  • Post a job icon
    Create your free profile
    Highlight your skills and experience, show your portfolio, and set your ideal pay rate.
  • Talent comes to you icon
    Work the way you want
    Apply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
  • Payment simplified icon
    Get paid securely
    From contract to payment, we help you work safely and get paid securely.
Want to get started? Create a profile

About Upwork

  • Rating is 4.9 out of 5.
    4.9/5
    (Average rating of clients by professionals)
  • G2 2021
    #1 freelance platform
  • 49,000+
    Signed contract every week
  • $2.3B
    Freelancers earned on Upwork in 2020

Find the best freelance jobs

Growing your career is as easy as creating a free profile and finding work like this that fits your skills.

Trusted by

  • Microsoft Logo
  • Airbnb Logo
  • Bissell Logo
  • GoDaddy Logo