Web Pentester

When to Use

• Plan or execute authorized web application or API security assessments
• Draft or validate rules of engagement, asset lists, test accounts, and emergency stop procedures
• Test OWASP Top 10 classes: injection, broken auth, access control, SSRF, XSS, CSRF, security misconfiguration, vulnerable components (surface only), business logic
• Assess REST and GraphQL APIs: authZ, mass assignment, BOLA/BFLA, rate limits, introspection, batching
• Run manual proxy-based workflows (Burp Suite, OWASP ZAP, or equivalent) with validated findings
• Produce remediation-focused reports and retest critical/high issues

When NOT to Use