B
Web Application Penetration Tester
Black Hills Information Security
4h ago
0$120k - $150kDevRemote, USjobspy_indeed
remoteindeed
Job Description
**About the Role:**
We're looking for an **experienced Webapp Penetration Tester** to perform penetration tests against modern web applications and web APIs, as well as security assessments of all kinds. The ideal candidate combines a strong foundation in information technology or software development with hands\-on experience identifying, exploiting, and communicating web\-specific security risks.What You'll Do
* Perform penetration tests against live web applications and web APIs, with and without source code
* Follow a repeatable process that ensures thorough discovery, coverage, and documentation of the attack surface
* Recognize in HTTP traffic the presence and use of web application frameworks, technologies, and third\-party services on both the client side and the server side.
* Identify and exploit coding errors, misconfigurations, business logic flaws, privilege separation gaps, account recovery flaws, and weaknesses in infrastructure software and third\-party components and services.
* Perform attack path analysis and vulnerability chaining to illustrate the true, realistic impact of findings.
* Conduct traditional penetration testing in two or more other areas: mobile applications, external/internal network testing, cloud platforms and services, social engineering, C2 and post\-exploitation activities.
* Write clear, accurate, and actionable reports with technical details, risk ratings, evidence, and remediation guidance, without relying on AI writing tools.
* Present findings to technical teams and executive stakeholders
* Stay current with emerging attack techniques, offensive tooling, and the evolution of common webapp components, frameworks, and infrastructure software
Required Qualifications
* 5 years hands\-on experience performing application\-level penetration tests, red team assessments, or offensive security testing
* Strong understanding of penetration testing methodologies: reconnaissance, enumeration, exploitation, privilege escalation, lateral movement, persistence, and reporting
* Familiarity with the OWASP Top Ten (for web, for API, for mobile) and ability to explain the causes and solutions for each item
* Understanding of application\- and browser\-level security concepts: authentication and authorization, privilege separation, CORS, data encoding schemes, WebSockets, HTTP, DOM storage, Same Origin Policy, JWTs, etc.
* Ability to explain security implications and common errors in those areas that contribute to risk
* Familiarity with offensive tools: Burp Suite, Caido, Nmap, browser\-based developer tools, Nuclei, AI\-augmented research and analysis
* Experience with JavaScript and another scripting language (Python, Rust, Bash, etc)
* Strong written and verbal communication skills without reliance on AI\-generated language.
* Ability to work independently and manage assessment timelines
Preferred Qualifications
* Experience developing or QA testing web applications, web APIs, or mobile applications
* Experienc
