Shridatree Mitra

API Security Testing

• Performed API vulnerability assessments on APIs using Burp Suite and Postman.
• Tested authentication and authorization mechanisms (OAuth, JWT, API keys) to prevent privilege escalation and access control flaws.
• Conducted security assessments on the API, intercepting it with Postman and Burp Suite Professional tools to identify and exploit flaws, misconfigurations, and security vulnerabilities using both manual and automated scans.
• Generated reports and recommendations based on discoveries, detailing the uncovered security issues, their risk levels, and mapping them according to OWASP Top 10 standards.
• Validated HTTP methods (GET, POST, PUT, DELETE) are properly restricted.
• Discovered unintended endpoints (via fuzzing or misconfigured API gateways).
• Offered suggestions to the application team for addressing identified vulnerabilities and assisted in their resolution.

DAST

• Performed regular DAST scans on applications using AppSec tool.
• Analyzed and triaged scan findings to eliminate false positives, and prioritized remediation steps.
• Collaborated with development teams to integrate DAST tools.
• Documented processes and developed training materials to increase DAST adoption internally.
• Maintained vulnerability dashboards and ensured timely delivery of security engagements, managing multiple DAST projects simultaneously while maintaining quality and client satisfaction.

Web application testing

• Conducted end-to-end dynamic application security testing (DAST) on enterprise web applications using Burp Suite, Invicti, and IASP.
• Proficient in understanding application-level vulnerabilities like XSS, SQL Injection, CSRF, Clickjacking, Authentication Bypass, Session Fixation, Directory Traversal, SSRF, etc.
• Conducted web application testing using the Burp Suite Professional tool, addressing OWASP Top 10 vulnerabilities, and manually exploited them to verify false positives.
• Identified security breaches to assess application resilience.
• Performed authenticated and unauthenticated scans, validating session management, cookies, and token-based authentication (JWT, OAuth).
• Collaborated with developers and clients to remediate identified vulnerabilities, and provide mitigation advice.