Web App & API Security Tester (Pentest) — Webhook & Access-Control Focus
Worldwide
Job title: Web App & API Security Tester (Pentest) — Webhook & Access-Control Focus Contract type: Fixed price — US$1,500 Estimated effort: 3–5 days Context We run a private investor portal that stores sensitive personal and financial data (identity documents, bank statements, encrypted bank details) and processes six-figure investments through a webhook-driven pipeline. We need a focused gray-box security assessment of the application and its integration endpoints. This is not a full enterprise pentest — it's a targeted engagement against a small, well-scoped app with a known architecture. We will give you the architecture spec so you can go straight to the high-risk areas. Scope Web application (authenticated investor + admin areas) on staging. Two inbound webhook endpoints (/api/webhooks/typeform, /api/webhooks/docusign). Authentication, session management, and 2FA flows. Access control and multi-tenant (per-SPV) data isolation. Handling and storage of sensitive documents and encrypted bank details. Out of scope: third-party SaaS platforms themselves (Typeform, DocuSign, Resend), physical/social engineering, and any production system. Required test areas (must be covered) Webhook authenticity: attempt to submit forged or unsigned webhook payloads to both endpoints. Confirm requests with invalid or missing signatures are rejected (expected: HTTP 401) and never processed. Replay / idempotency abuse: replay valid signed events and duplicate submission/envelope identifiers. Confirm no duplicate or unauthorized record creation. Payload-trust / routing integrity: attempt to influence which SPV/project an investor is routed to by manipulating webhook payload values. Confirm routing is resolved from server-side stored data, not trusted from the payload. Gate-bypass: attempt to create Investor or Investment records, or advance status, through any path other than the intended manual admin action. Any automated path that creates these records is a critical finding. Access control / IDOR: as an authenticated investor, attempt to access another investor's or another SPV's records, documents, and distributions by manipulating IDs, URLs, and API parameters. Confirm scoping is enforced server-side, not just in the UI. Authentication & session: test login, password-set, 2FA enrollment/enforcement, invitation link (single-use / time-limited), session fixation, session expiry, and privilege separation between investor and admin. Sensitive data exposure: confirm bank details are masked in the UI, not exposed via API responses, logs, or bulk export, and that identity/financial documents are not accessible without authorization. Standard web application checks: injection, XSS, CSRF, insecure direct file access, missing security headers, error/verbose-message leakage, and file-upload handling (type/size enforcement, malicious file handling). Deliverables Security assessment report with an executive summary and, for each finding: description, severity (CVSS or Critical/High/Medium/Low), affected component, reproduction steps / proof of concept, business impact, and remediation guidance. Prioritized remediation list. Retest / verification of fixes for Critical and High findings after we remediate. Immediate notification of any Critical finding during testing, ahead of the written report. Milestones (total US$1,500) Milestone 1 — Scoping confirmation + test plan: US$300. You review our architecture, confirm scope and rules of engagement, and deliver a brief test plan. Milestone 2 — Assessment + report: US$900. Complete the assessment and deliver the full findings report with PoCs and remediation guidance. Milestone 3 — Retest of Critical/High fixes: US$300. Verify our remediations and deliver a final confirmation. Freelancer requirements Demonstrable web application and API penetration testing experience (please share a redacted sample report). Certification such as OSCP, or equivalent proven experience. Experience with authentication/session testing, access-control/IDOR, and webhook or API security. Bonus: prior work with fintech, document-signing, or multi-tenant SaaS systems. Willing to sign an NDA before access is granted. What we provide Staging URL and credentials for both roles. Architecture / specification documents describing the intended security controls (redacted as needed). Sandbox webhook secrets and test keys for replay/forgery testing. A named technical contact for coordination. Rules of engagement Testing is authorized on the specified staging environment only. Production is strictly out of scope. No destructive testing that would corrupt shared test data without prior agreement. Use only sandbox credentials and secrets we provide; never replay events against production. Findings, credentials, and documents are confidential and covered by NDA. Do not retain or share data after the engagement. Report any Critical finding immediately upon discovery.
$1,500.00
Fixed-price- ExpertExperience Level
- Remote Job
- One-time projectProject Type
Skills and Expertise
Activity on this job
- Proposals:50+
- Last viewed by client:2 days ago
- Interviewing:3
- Invites sent:3
- Unanswered invites:0
About the client
- CanadaMarkham10:02 PM
- $77K total spent108 hires, 11 active
- 1,154 hours
- Real EstateSmall company (2-9 people)
Explore similar jobs on Upwork
How it works
Create your free profileHighlight your skills and experience, show your portfolio, and set your ideal pay rate.
Work the way you wantApply for jobs, create easy-to-by projects, or access exclusive opportunities that come to you.
Get paid securelyFrom contract to payment, we help you work safely and get paid securely.
About Upwork
- 4.9/5(Average rating of clients by professionals)
- G2 2021#1 freelance platform
- 49,000+Signed contract every week
- $2.3BFreelancers earned on Upwork in 2020
Find the best freelance jobs
Growing your career is as easy as creating a free profile and finding work like this that fits your skills.
Trusted by