Frappe App Security Pen Test

@bhbhatia

Greetings of the day! I have gone through the shared description and it seems like you are looking for some pen-tester who can perform an assessment of the defined scope. I have been working with Big4 in the domain of Information Security. I hold an experience of 10+ year in the domain of Vulnerability Assessment & Penetration Testing. Below mentioned is a small description of my experience. I have delivered multiple engagements on areas such as Application Security Assessment, Network Architecture reviews, Vulnerability Assessment, Penetration Tests, Configuration Reviews, Mobile Application Security, Information Security Audits, GE Vendor Assessments, Cloud Security, Maturity Assessment, Phishing & Vishing Simulation, and Source Code Review. I have rendered these services to many global multinational organizations on both small one-time engagements as well as large-scale delivery projects. I have worked with clients across a range of industries, including Information Technology Services, Banking, Financial services(NHB & NBFC), E-commerce, KPO, Automotive, and BPO. I have all professional licensed tools to perform this engagement. List of the licensed tool is mentioned below BurpSuite Acunetix Nessus HPE Webinspect Fortify Kindly message me for sample report. Hope to hear back from you :-)

@kajal1992

Hello I am a cybersecurity and Digital Forensics consultant specializing in application-level penetration testing under OWASP Top 10 methodology. I have hands-on experience testing ERPNext / Frappe-based applications handling sensitive business data. I will perform a real-world attacker style assessment on your staging environment, using manual testing supported by Burp Suite, OWASP ZAP and custom techniques, covering: 1. All exposed HTTP(S) endpoints 2. Client-side and server-side logic 3. REST API and authentication/session flows Deliverables : * Clear executive summary * Detailed technical report mapped to OWASP Top 10 * Step-by-step reproduction, PoCs, risk ratings, and evidence * Practical remediation guidance specific to the Frappe framework All testing will be strictly non-disruptive and professionally documented. Regards Kajal Majhi

@sonalkashyap1405

Hello, As a Quality Analyst professional, I bring a vast experience spread around different domains and clients based out of different geographies. I have played different roles and have worked closely with the client and development team. Some of my work highlights include: • Extensive Knowledge in Functional, Regression, System Testing, Security Testing. • Have experience in Media and Finance Management, Mobile Banking (Mobile Money) domain, Investment, Credit Scores, Payments, E- Commerce, ERP, Education, Security Testing • Implemented VAPT Testing methodology : Reconnaissance, Target Assessment, Confirming Remediation, Vulnerability Analysis, Prioritising, Reporting • Provide detailed report with Issue Detail, Issue Remediation, References, Vulnerability classifications. • Worked on key Vulnerability Report for a payment giant in USA and prevented Huge Security Risk on Prod. Types Of Test Cases Covered : Authentication Testing, Testing For Cookie Attacks, Access Control, Data Validation, Cross- Origin resource sharing, Assessment of click jacking. Tools worked: Postman, SoapUI, Selenium Webdriver, JMeter, Jenkins, Github, Playwright, BurpSuite, Kali Linux Languages : Java, Python, C#, Javascript As a detail-oriented and organized professional, I take pride in completing assignments on time and with accuracy. I am a fast learner and really like to explore new challenges coming on the way. Looking forward to hearing from you! Thanks Sonal K

@offensiumvault

We at Offensium Vault Private Limited (ISO 27001:2022 & ISO 9001:2015) can support this engagement. Our team has hands-on experience performing OWASP-aligned application-level penetration testing on ERPNext / Frappe-based applications handling sensitive business data. We conduct manual, attacker-style testing across web interfaces, REST APIs, client-side logic, and server-side workflows, supported by industry-standard tooling where appropriate. What we’ll deliver: • Non-disruptive testing against your staging environment • OWASP Top 10–mapped findings with clear reproduction steps, PoCs, and risk ratings • Practical, Frappe-specific remediation guidance your team can implement directly • Executive summary for stakeholders and a prioritised remediation roadmap • Optional re-test after fixes (can be scoped separately) We follow a structured, ethical methodology focused on real-world exploitability and actionable outcomes, not just scanner output. Happy to share a sample redacted VAPT report and confirm timelines once access details are shared.

@houssinb9

Hey there, I am an Application Security / Penetration Testing engineer with over 5 years of experience securing production-grade web applications. I will conduct a full OWASP-based manual penetration test on your ERPNext/Frappe stack, simulating real-world attacks across HTTP(S) endpoints, client-side code, server logic, and REST APIs using tools like Burp Suite and OWASP ZAP. My expertise includes OWASP Top 10, web & API security testing, Frappe/ERPNext internals, and secure remediation guidance. You’ll receive a clear executive summary, a deep technical report with PoCs and fixes mapped to Frappe, plus a prioritized remediation roadmap and optional re-test. With my experience, I’m sure I can complete this efficiently while keeping production safe and delivering actionable results. Feel free to check my profile and contact me for more details. Regards,

@Venkatesan03

Hi There, I came across your post about Frappe App Security Pen Test, and it’s exactly what I work on every day. Based on your requirements around Application Penetration Testing, how I would test your environment using a structured, industry-standard methodology, including: 1. Manual and automated testing for specific vulnerabilities, e.g., Broken Access Control, IDOR, authentication bypass, injection flaws 2. Testing aligned with OWASP Testing Guide v4 (OTGv4), OWASP Top 10, NIST SP 800-115, and SANS Top 25 3. Risk-based validation and reporting with clear severity ratings, impact analysis, and remediation guidance My background: 1. I have 5+ years of hands-on experience in penetration testing across web, mobile, system, network, and social engineering engagements 2. I follow a systematic, industry-standard methodology including OWASP Testing Guide v4 (OTGv4), SANS Top 25, NIST SP 800-115, and PCI DSS 3. I have delivered real-world security assessments that helped organizations identify and remediate high-risk vulnerabilities before exploitation I’d love to help you identify real security risks, reduce attack surface, and strengthen your overall security posture. If it’s a fit, I can start with a small initial assessment to quickly demonstrate value, and then support you with deeper testing or ongoing security efforts as needed. Looking forward to hearing from you, Venkatesan

@raselazad

Hi, I’ll conduct a non-disruptive, application-level penetration test on your staging ERPNext instance following OWASP Testing Guide v4 and PTES standards, simulating real-world attacker behavior. ✅ Scope: Full assessment of HTTP(S) endpoints, REST API, client-side JS, and server-side logic Manual testing + Burp Suite Pro / OWASP ZAP for dynamic analysis Focus on OWASP Top 10 (e.g., Broken Access Control, Injection, SSRF, IDOR) common in Frappe apps ✅ Deliverables: Executive Summary: Business-risk overview (non-technical) Technical Report: Each finding mapped to OWASP Top 10 Proof-of-concept payloads, screenshots, and request/response logs Frappe-specific remediation (e.g., has_permission hooks, role-based API hardening) Prioritized Remediation Roadmap: Critical → Low, with effort estimates ✅ Process: All testing on your staging environment Zero data modification or service disruption CVSS v3.1 risk scoring with clear justification I’ve audited 8+ Frappe/ERPNext deployments, familiar with its permission model, DocTypes, and API quirks. Ready to start upon receipt of staging access. Thanks Rasel

@kamaleshp1

As an experienced cybersecurity professional specializing in web and mobile application security, I deliver meticulous penetration testing aligned with project requirements. Over five years, I’ve mastered Burp Suite, OWASP ZAP, SQLMap, Nikto, and Nmap, applying repeatable, standards-driven methodologies. My testing aligns with OWASP Top 10, uncovering issues such as SQL injection, XSS, and other critical threats. I hold the OSCP certification, reflecting strong technical expertise and ethical practice. Beyond identifying vulnerabilities, I provide clear, actionable remediation guidance, ensuring security improvements are practical, measurable, and effective. Clients receive comprehensive reports, risk prioritization, and ongoing support throughout remediation cycles and follow-up validation.

@HackMySite

I will perform a test on your website with grey-box technique - need two accounts for testing purposes. I will cover all what is needed from OWASP top 10. My main tool is Burp Suite Professional, other I will adjust based on what I will have. You will receive report with all necessary info. Please check my profile.

@yoandyu

I have experience testing apps (bugcrowd, hackerone, yeswehack), and I have worked on network penetration testing.

@harifun

With an extensive background in software testing and a commitment to using proven methodologies like OWASP, I am confident I can deliver the comprehensive and targeted security penetration test you are seeking for your Frappe application. Having previously carried out assessments similar to yours, I understand the gravity of securing sensitive business data and the potential risks imposed by even the smallest vulnerabilities overlooked. My approach to conducting penetration tests is to emulate real-world attackers as closely as possible. By combining manual testing with sophisticated tools like Burp Suite and OWASP ZAP, I can thoroughly scrutinise every aspect of your application – from client-side code to server-side logic and REST APIs – for potential vulnerabilities that may expose your valuable data. Furthermore, my proficiency in performing preventive maintenance and repair services on various equipment reflects my keen attention to detail in isolating and resolving issues efficiently. This skillset enables me not only to identify vulnerabilities but also to recommend practical fixes and mitigations tailored specifically for the Frappe framework.

@savikarank

Hi, I am a Penetration Tester with experience in securing web applications. I can perform a thorough OWASP-based security assessment of your Frappe/ERPNext application. Scope of Work: Reconnaissance: Enumerating endpoints and hidden assets using custom tools. Vulnerability Scanning: Checking for SQLi, XSS, and Misconfigurations. Reporting: A professional report listing all findings with proof-of-concept. I am available to start the scan immediately using my Kali Linux security suite. Best, [karan]

@intimetecitt

Hello, We are the cybersecurity team from Intimetec Visionsoft Pvt. Ltd., specializing in web application penetration testing. Our approach focuses on identifying real-world security vulnerabilities using industry best practices and providing remediation guidance. We can complete the assessment within 15 days and provide a detailed report including vulnerability descriptions, CVSS scores, PoCs for all findings, impacts and remediation steps. We also conduct the revalidation test once all the vulnerabilities are patched. Looking forward to working with you. Regards, Intimetec Visionsoft Pvt. Ltd.