Penetration Testing of Web Application, Recommendations and Action List

Web Application Penetration Tester (Black-Box Focus) We are seeking a skilled and experienced Penetration Tester to conduct a thorough black-box security assessment, report findings and recommendations. Extra document with clear action list. Project Overview: We are engaging a seasoned Penetration Tester to perform a focused black-box security review of the web application. This project's objective is to identify security vulnerabilities solely through external testing and analysis of the live application, simulating a real-world attacker with no prior knowledge of the internal system architecture or code. Please be aware that direct credentialed access to our production environments (Render, Supabase, Redis) or the codebase repository will not be provided as part of this engagement. The outcome will be a comprehensive report detailing all vulnerabilities discovered from an external perspective. Technology Stack Overview: While direct code access is not provided, candidates should have a strong understanding of common vulnerabilities and attack vectors applicable to applications built with our stack: Frontend: Built with [login to view URL] (v14.2.4) and React (^18), leveraging TypeScript (^5). Understanding of client-side and SSR security risks relevant to these technologies is beneficial for testing. Backend: Developed using the Express (^4.19.2) framework on Node.js (>=18.0.0), also written in TypeScript (^5.5.4). Expertise in identifying common API vulnerabilities in Node.js/Express applications through external testing is key. Database & Auth: Supabase, our chosen platform providing a PostgreSQL database, authentication services, and storage. Experience identifying potential misconfigurations or vulnerabilities in Supabase-backed applications through external attack vectors (e.g., testing Auth flows, inferring storage/RLS weaknesses through application behavior) is valuable. Caching: Redis (specifically using the node-redis client library). Awareness of how Redis might be attacked or exploited if insecurely used by the application is relevant for external testing. Deployment: The application is hosted on Render. Knowledge of general cloud deployment security principles and potential attack vectors targeting applications hosted on such platforms (e.g., exposed ports, service misconfigurations observable externally) is helpful. Scope of Work: The security testing engagement will consist entirely of external, black-box penetration testing activities: Comprehensive Reconnaissance & Attack Surface Mapping: Identify all publicly accessible components, subdomains, technologies, and potential entry points by analyzing DNS records, performing port scans (on provided IPs/domains), and observing application responses. Automated & Manual Vulnerability Identification: Conduct thorough automated scans and manual testing against the live application from an unauthenticated perspective, and also with provided test accounts representing different user roles (if applicable). Focus areas include: OWASP Top 10 Vulnerabilities: Attempt to identify and exploit common web vulnerabilities such as Injection (e.g., trying SQL or other injection patterns to see application reactions), Broken Authentication & Session Management, Broken Access Control (testing for privilege escalation and horizontal access based on observed user IDs or roles), Cross-Site Scripting (XSS - Reflected, Stored, DOM-based), Cross-Site Request Forgery (CSRF), Security Misconfigurations (e.g., verbose error messages, exposed internal endpoints), and identifying potentially vulnerable client-side components. API Security Testing: Analyze and test all discovered API endpoints for vulnerabilities identifiable through external interaction, including potential for Insecure Direct Object References (IDORs), excessive data exposure in responses, functional access control issues, and rate limiting bypasses. Security Header Analysis: Review and report on the presence and correct configuration of HTTP security headers. Dedicated AI Prompt Injection Testing: This is a critical focus area. Design and execute tests specifically aimed at identifying vulnerabilities where malicious user input, when processed by the application and sent to an AI model, can manipulate the AI's behavior, extract sensitive information, or cause unintended application actions. This includes testing for direct and indirect prompt injection vectors through the application's user interface and potentially exposed APIs. Key Areas to Be Tested (from an External Perspective): Authentication flows (login, signup, etc.) and observable session management behavior. Authorization and access control enforcement as experienced by different user types. Handling of all user inputs throughout the application and API endpoints. Security posture of all public and authenticated API endpoints. Effectiveness of any implemented rate limiting mechanisms. Vulnerabilities allowing AI Prompt Injection. Observable security aspects related to Supabase integration (e.g., ability to manipulate data via insecure application features, potential Auth bypasses). Observable security aspects related to Redis usage (if any application behavior suggests interaction with a cache that can be exploited). Any security misconfigurations of the application or its exposed services on Render. Identification of vulnerable client-side third-party dependencies. Required Tools: The consultant is required to be proficient in using industry-standard black-box security testing tools. The following types of tools are essential for this engagement: Web Proxies: Mandatory for intercepting, analyzing, and modifying HTTP/S traffic (e.g., Burp Suite Professional, OWASP ZAP). Automated Web Vulnerability Scanners: Tools capable of performing black-box scans of web applications (e.g., PortSwigger Burp Suite Scanner, OWASP ZAP Automated Scan, Nessus, Acunetix - or similar robust commercial or open-source scanners). API Testing Tools: For interacting with and testing RESTful APIs (e.g., Postman, Insomnia, cURL, or integrated features within proxies). Network Scanning Tools: Basic tools for initial reconnaissance and port scanning (e.g., Nmap). Fuzzing Tools: To identify unexpected application behavior by sending malformed or unexpected inputs (can be integrated into proxies or standalone tools). Browser Developer Tools: Essential for inspecting frontend code, network requests, and application behavior. Specialized Tools/Scripts (Optional but highly valued): Any custom scripts or tools the consultant has developed or uses specifically for testing modern web applications, APIs, or AI prompt injection from a black-box perspective. Deliverables: Upon satisfactory completion of the testing, the consultant shall provide: A professional, detailed security assessment report in PDF format. The report must clearly document: Executive Summary: A high-level overview of the findings and assessment results. Methodology: Explanation of the black-box testing approach taken. Scope: Delineation of the tested areas and functionalities of the live application. Detailed Findings: A comprehensive list of all identified vulnerabilities discovered through external testing, including: Clear description of the vulnerability and its potential impact. Specific, step-by-step instructions to reproduce the vulnerability from an external perspective. Assigned severity level (e.g., CVSS v3.x score or similar standardized rating). Compelling evidence (e.g., screenshots, detailed request/response payloads). Practical, actionable recommendations for remediation based on best practices for web applications. A dedicated section detailing the approach, attempts, and results of the AI Prompt Injection testing. Required Skills and Experience: Minimum of 3-5 years of proven experience conducting black-box web application penetration tests. Deep understanding of common web application vulnerabilities, exploitation techniques, and remediation strategies (OWASP Top 10, API Security Top 10, etc.). Hands-on experience using and interpreting results from standard security testing tools (web proxies, scanners, API testers, network scanners). Specific experience or strong theoretical and practical understanding of AI Prompt Injection vulnerabilities and effective black-box testing methodologies. Familiarity with common attack vectors applicable to applications built with [login to view URL], React, Node.js, Express, Redis, and PostgreSQL/Supabase. Excellent report writing skills, with the ability to clearly and concisely document technical findings and provide actionable recommendations for a development audience. Ability to simulate real-world attacker tactics and think creatively to find vulnerabilities. Project Duration: Approximately 1-2 weeks of focused effort. Location: Remote To Apply: Please submit your resume detailing your relevant experience, highlighting your expertise with black-box web application penetration testing, proficiency with standard testing tools, experience with the technologies listed (from a testing perspective), and specifically any experience or strong understanding of AI prompt injection testing. Please include descriptions of similar black-box security testing engagements you have led or significantly contributed to (while strictly respecting client confidentiality). We are looking for candidates who can effectively discover and report on vulnerabilities from an external viewpoint.