Web & Application Penetration Tester

For Digital Hub Warsaw, we are looking for:

Web/Application Penetration Tester with at least 5 years of solid, hands-on offensive security experience. This role requires deep technical knowledge of modern applications, creative vulnerability exploitation, and strong collaboration skills to help secure critical platforms and services.

Key Tasks & Responsibilities:

• Web & API Assessments

  • Perform detailed penetration tests against web applications, APIs, and microservices.

  • Identify vulnerabilities in authentication, session management, authorization, and data validation.

  • Exploit and demonstrate insecure direct object references, SQLi, XSS, SSRF, template injection, deserialization, CSRF, and business logic flaws.

  • Test GraphQL, REST, and gRPC APIs for access control bypasses, injection flaws, and mass-assignment risks.

• Mobile Application Testing

  • Assess Android/iOS apps for insecure storage, traffic interception, SSL pinning, hardcoded secrets, and API misconfigurations.

  • Reverse and analyze application logic using Frida, Objection, Burp Mobile Suite, JADX, or Hopper.

• Code & Dependency Security

  • Conduct static and dynamic analysis of application codebases where applicable.

  • Identify risks in third-party dependencies, supply chain integrations, and open-source libraries.

• Reporting & Communication

  • Write clear, reproducible, and actionable reports with proof-of-concept exploit details.

  • Communicate findings to developers and architects in a way that drives real remediation, not just documentation.

  • Provide secure coding recommendations mapped to OWASP and industry best practices.

• Continuous Improvement

  • Develop scripts and custom tooling to automate test cases, payload generation, and reporting workflows.

  • Stay ahead of emerging attack vectors in web frameworks, cloud-native apps, and modern authentication schemes (OAuth2, JWT, SAML).

  • Contribute to internal methodology updates and maintain a repository of test cases and payloads.

    
    

Qualifications & Competencies (education, skills, experience):

• Core Web Security

• Strong understanding of HTTP, cookies, headers, sessions, CORS, and TLS.

• Expert with Burp Suite Pro and related tooling (Extender, Collaborator, custom extensions).

• Ability to manually identify and exploit injection flaws, race conditions, and logic bypasses.

  
  

• Modern Web Technologies

• Familiarity with single-page app frameworks (React, Angular, Vue) and their unique security issues.

• Hands-on experience testing OAuth2, OpenID Connect, SAML, and JWT implementations.

• Knowledge of SSO, MFA, and federation mechanisms and their common pitfalls.

  
  

• API Security

• Proficient in testing REST, GraphQL, SOAP, and gRPC endpoints.

• Experience with mass assignment, broken object-level authorization (BOLA), and broken function-level authorization (BFLA).

• Ability to assess rate limiting, replay attack defenses, and API abuse scenarios.

• Mobile Application Security

• Understanding of OWASP Mobile Top 10 risks.

• Familiarity with APK/IPA unpacking, dynamic instrumentation, and certificate pinning bypass.

  
  

• Scripting & Tooling

• Proficiency in Python, JavaScript, or Bash/PowerShell for exploit development and automation.

• Ability to create custom PoCs instead of relying solely on scanners.

• Familiarity with tools such as sqlmap, ffuf, nuclei, mitmproxy, Postman, Frida, and Objection.

• Motivated & Proactive – Self-starter who keeps up with modern attacker tradecraft.

• Team Player – Works effectively with developers, QA, and security engineers; values collaboration over silos.

• Problem Solver – Can take vague or incomplete application designs and still identify weak points.

• Clear Communicator – Explains technical findings in developer-friendly language with practical fix guidance.

Desirable (Not Required)

• Familiarity with cloud-native web services (serverless apps, API gateways, WAF bypasses).

• Knowledge of CI/CD security (secrets exposure, insecure build pipelines).

• Experience integrating pentesting results into bug bounty or SDLC workflows.

• Relevant certifications such as OSWE, OSCP, GWAPT, eWPTX.

What do We offer:

• A flexible, hybrid work model

• Great workplace in a new modern office in Warsaw

• Career development, 360° Feedback & Mentoring programme

• Wide access to professional development tools, trainings, & conferences

• Company Bonus & Reward Structure

• VIP Medical Care Package (including Dental & Mental health)

• Holiday allowance (“Wczasy pod gruszą”)

• Life & Travel Insurance

• Pension plan

• Co-financed sport card - FitProfit

• Meals Subsidy in Office

• Additional days off

• Budget for Home Office Setup & Maintenance

• Access to Company Game Room equipped with table tennis, soccer table, Sony PlayStation 5 and Xbox Series X consoles setup with premium game passes, and massage chairs

• Tailored-made support in relocation to Warsaw when needed

• Please send your CV in English