Position Title: Manual Web Application Exploitation Engineer (Codename: WebVenom)
Department: Web Breach & Exploit Unit
Location: Remote Global Offensive RedOps
Employment Type: Contract-Based Target-Specific Missions
Reports To: Strategic Exploitation Strategist
Team: Member of a 4-Expert Deep Exploitation Cell
Company: Malan Softtech - Offensive Security & Penetration Engineering
About Malan Softtech
Malan Softtech is a specialist cyber exploitation firm focused on deep manual penetration of
high-value, high-risk, and cloud-connected web platforms. We don't automate-we infiltrate.
Our elite team bypasses protections, extracts impact, and demonstrates control where scanners
fail.
Role Overview
As a Manual Web Application Exploitation Engineer, you will manually discover and execute
complex attack chains across web applications, APIs, and token-based authentication systems.
Your focus: logical flaws, deep-layer privilege escalations, and zero-footprint exploitation.
Core Responsibilities
• Execute manual exploitation against real-world web applications - no automated
scanners
• Craft blind/time/error-based SQLi payloads without tools
• Intercept and manipulate auth/session logic using Burp Suite only
• Chain IDORs, CSRFs, and logic flaws to reach admin-level access
• Manually fuzz forgotten uploaders, path traversals, and hidden panels
• Build end-to-end PoCs via Burp's Repeater, Intruder, and Sequencer
• Coordinate post-breach escalation with internal infrastructure team
Required Skills
• Deep manual experience with Burp Suite (Intruder, Repeater, Sequencer)
• SQLi payload crafting across MySQL, PostgreSQL, MSSQL
• Mastery in session abuse, token manipulation, and header-based exploits
• Familiarity with Host Header Injection, open redirects, SSTI, and access
misconfigurations
• Fluent in breaking obfuscated JavaScript logic and API workflows
• Experience with manual admin panel breach through URL fuzzing or chained bypasses
Bonus Advantage
• Experience with race condition exploitation
• Manual bypass of JS security challenges (CAPTCHA/redirect logic)
• Use of hybrid browser dev tools + Burp for debugging dynamic flows
Tactical Mindset
• Every redirect is a clue; every response is an angle
• Form logic is the weakest point - not form validation
• Precision over noise. Manual over automation. Stealth over speed
Example Operation
"Hidden login panel uses non-standard X-Token-Dev header. You chain session tokens using
Burp, exploit auth bypass, access /admin/report-export, and fuzz input to leak entire user DB
via blind SQLi-without any detection."
Execution Model
• Fully manual, Burp-based operations only
• No scans, no generic reports
• Encrypted, scope-locked missions
• Works silently with cloud/IP teams for escalation
Engagement & Compensation
• Encrypted target assignments
• Pay-per-success (per exploit chain, not per bug)
• Option for long-term confidential retainer
How to Apply
Submit a sample of your best Burp Suite-based exploit chains, including blind SQLi, logic
bypasses, or chained auth exploits. Highlight request/response tampering and thought process -
- screenshots or logs welcome.