Web & Application Penetration Tester

At Bayer we’re visionaries, driven to solve the world’s toughest challenges and striving for a world where ,Health for all, Hunger for none’ is no longer a dream, but a real possibility. We’re doing it with energy, curiosity and sheer dedication, always learning from unique perspectives of those around us, expanding our thinking, growing our capabilities and redefining ‘impossible’. There are so many reasons to join us. If you’re hungry to build a varied and meaningful career in a community of brilliant and diverse minds to make a real difference, there’s only one choice.

Web & Application Penetration Tester

For Digital Hub Warsaw, we are looking for:

Web & Application Penetration Tester

We are looking for a Web/Application Penetration Tester with at least 5 years of solid, hands-on offensive security experience. This role requires deep technical knowledge of modern applications, creative vulnerability exploitation, and strong collaboration skills to help secure critical platforms and services.

Key Tasks & Responsibilities:

• Web & API Assessments
  • Perform detailed penetration tests against web applications, APIs, and microservices.
  • Identify vulnerabilities in authentication, session management, authorization, and data validation.
  • Exploit and demonstrate insecure direct object references, SQLi, XSS, SSRF, template injection, deserialization, CSRF, and business logic flaws.
  • Test GraphQL, REST, and gRPC APIs for access control bypasses, injection flaws, and mass-assignment risks.
• Mobile Application Testing
  • Assess Android/iOS apps for insecure storage, traffic interception, SSL pinning, hardcoded secrets, and API misconfigurations.
  • Reverse and analyze application logic using Frida, Objection, Burp Mobile Suite, JADX, or Hopper.
• Code & Dependency Security
  • Conduct static and dynamic analysis of application codebases where applicable.
  • Identify risks in third-party dependencies, supply chain integrations, and open-source libraries.
• Reporting & Communication
  • Write clear, reproducible, and actionable reports with proof-of-concept exploit details.
  • Communicate findings to developers and architects in a way that drives real remediation, not just documentation.
  • Provide secure coding recommendations mapped to OWASP and industry best practices.
• Continuous Improvement
  • Develop scripts and custom tooling to automate test cases, payload generation, and reporting workflows.
  • Stay ahead of emerging attack vectors in web frameworks, cloud-native apps, and modern authentication schemes (OAuth2, JWT, SAML).
  • Contribute to internal methodology updates and maintain a repository of test cases and payloads.
  
  

Qualifications & Competencies (education, skills, experience):

• Core Web Security

• • Strong understanding of HTTP, cookies, headers, sessions, CORS, and TLS.
  • Expert with Burp Suite Pro and related tooling (Extender, Collaborator, custom extensions).
  • Ability to manually identify and exploit injection flaws, race conditions, and logic bypasses.

• Modern Web Technologies

• • Familiarity with single-page app frameworks (React, Angular, Vue) and their unique security issues.
  • Hands-on experience testing OAuth2, OpenID Connect, SAML, and JWT implementations.
  • Knowledge of SSO, MFA, and federation mechanisms and their common pitfalls.

• API Security

• • Proficient in testing REST, GraphQL, SOAP, and gRPC endpoints.
  • Experience with mass assignment, broken object-level authorization (BOLA), and broken function-level authorization (BFLA).
  • Ability to assess rate limiting, replay attack defenses, and API abuse scenarios.

• Mobile Application Security

• • Understanding of OWASP Mobile Top 10 risks.
  • Familiarity with APK/IPA unpacking, dynamic instrumentation, and certificate pinning bypass.

• Scripting & Tooling

• • Proficiency in Python, JavaScript, or Bash/PowerShell for exploit development and automation.
  • Ability to create custom PoCs instead of relying solely on scanners.
  • Familiarity with tools such as sqlmap, ffuf, nuclei, mitmproxy, Postman, Frida, and Objection.

• Motivated & Proactive – Self-starter who keeps up with modern attacker tradecraft.
• Team Player – Works effectively with developers, QA, and security engineers; values collaboration over silos.
• Problem Solver – Can take vague or incomplete application designs and still identify weak points.
• Clear Communicator – Explains technical findings in developer-friendly language with practical fix guidance.

Desirable (Not Required)

• Familiarity with cloud-native web services (serverless apps, API gateways, WAF bypasses).
• Knowledge of CI/CD security (secrets exposure, insecure build pipelines).
• Experience integrating pentesting results into bug bounty or SDLC workflows.
• Relevant certifications such as OSWE, OSCP, GWAPT, eWPTX.

What do We offer:

• A flexible, hybrid work model
• Great workplace in a new modern office in Warsaw
• Career development, 360° Feedback & Mentoring programme
• Wide access to professional development tools, trainings, & conferences
• Company Bonus & Reward Structure
• VIP Medical Care Package (including Dental & Mental health)
• Holiday allowance (“Wczasy pod gruszą”)
• Life & Travel Insurance
• Pension plan
• Co-financed sport card - FitProfit
• Meals Subsidy in Office
• Additional days off
• Budget for Home Office Setup & Maintenance
• Access to Company Game Room equipped with table tennis, soccer table, Sony PlayStation 5 and Xbox Series X consoles setup with premium game passes, and massage chairs
• Tailored-made support in relocation to Warsaw when needed
• Please send your CV in English

You feel you do not meet all criteria we are looking for? That doesn’t mean you aren’t the right fit for the role. Apply with confidence, we value potential over perfection

WORK LOCATION: WARSAW AL.JEROZOLIMSKIE 158

Location:

Poland : Mazowieckie : Warszawa

Division:

CSF

Reference Code:

851278