Skip to content

Case Study / Web application VAPT

JWT “none”-algorithm bypass — and the chain behind it

A fast-growing survey platform processing increasingly sensitive business feedback engaged us for an end-to-end vulnerability assessment and penetration test. The platform had scaled quickly; its security review hadn't kept pace with its data.

Fast-growing SaaS survey platform · Middle East

What we found

JWT “none”-algorithm bypass

The JWT implementation accepted tokens signed with the “none” algorithm — an unsigned token was a valid token. Practical effect: any user could be impersonated, including administrators, by crafting a token by hand.

Publicly accessible S3 bucket

User-uploaded files lived in a world-readable Amazon S3 bucket. Anyone with the bucket name could enumerate and download customer uploads — no authentication involved.

Role-based access control gaps

Privilege checks were inconsistently enforced across endpoints; lower-privileged users could reach restricted functionality directly.

Unrestricted file upload

Uploads were accepted without sufficient content validation, opening a path for hostile files to enter the platform.

How we worked

OWASP-aligned manual testing

Full web-application assessment following the OWASP Top 10 methodology — manual testing for the logic and chaining that scanners can't reason about.

Controlled exploitation

Each critical finding was demonstrated in a controlled way — not asserted from a scanner line — so severity discussions were about evidence, not opinion.

Chained impact analysis

Findings were presented as attack chains (public bucket + token forgery + RBAC gaps = full data access) and translated into business consequences: financial, reputational, regulatory.

Developer-level remediation

Fix guidance written for the engineers who would implement it, plus secure-coding workshops for the team.

What changed

  • Critical findings — including the authentication bypass and public bucket — were remediated and verified on retest.
  • The engineering team left with concrete secure-coding practices, not just a report.
  • The engagement established the security baseline the platform now builds on.

Client identity is confidential by agreement. Findings are published with the client’s engagement anonymized; we never publish metrics we didn’t measure.

Ready to scope the work?

A 30-minute call with the engineers who will do the testing — not a sales gate.

Book a scoping call