The Phantom Payment Position: Senior Offensive Security Engineer - Financial Systems & Business Logic Location: Remote / Anywhere Type:Full-Time About the Role: Do you see the hidden pathways in complex transaction flows?We are hunting for an elite penetration tester to attack our core payment engine, "PesaFlow," which authenticates millions of transactions for the "eCtizen" government services portal. We're not looking for checkbox scanners; we're looking for a security artist who can find the single flaw that breaks the entire financial logic. Anomalies suggest services are being activated without valid payment. Your mission is to find out how, weaponize it, and show us how to build it right. The Challenge: The PesaFlow system uses a state-based polling mechanism to confirm payments.The front-end (eCtizen) and back-end (PesaFlow) communicate via APIs to move a transaction from PENDING to SUCCESS. We need you to tear this process apart. Your goal is to demonstrate a reliable method to illegitimately obtain a high-value service (e.g., a passport, business license) without a successful financial transfer. Key Responsibilities: · Architect and execute sophisticated attacks against the payment lifecycle, focusing on state machine manipulation, race conditions, and idempotency failures. · Reverse-engineer API communications between the eCtizen portal, PesaFlow backend, and banking gateways to identify trust flaws. · Develop custom tools or scripts to automate the exploitation of complex business logic vulnerabilities. · Move beyond the OWASP Top 10 and pioneer techniques for breaking financial-grade authentication and validation systems. What You'll Bring: · Proven experience in exploiting business logic flaws in payment systems, e-commerce platforms, or financial technology. · Mastery of tools like Burp Suite, with deep experience using extensions for race condition testing (e.g., Turbo Intruder). · The ability to think in "states" and "sequences" and articulate how to maliciously manipulate them. · Proficiency in at least one scripting language (Python, Bash) for creating Proof-of-Concept exploits. · An adversarial mindset that enjoys breaking complex systems more than checking vulnerability lists. Your Application Challenge (The Real Interview Starts Here): In your application,please include a "Conceptual Exploitation Brief." Describe, in 1-2 pages, a theoretical attack vector against a payment loop system. Detail: 1. The Flaw: What specific logic error are you targeting? (e.g., TOCTOU, improper failure handling, callback spoofing). 2. The Kill Chain: The step-by-step path an attacker would take, from initiation to successful service acquisition. 3. The Proof: How you would demonstrate this exploit in a black-box/grey-box test. 4. The Fix: The core architectural or code-level change required to mitigate it.