JWT “none”-algorithm bypass
The JWT implementation accepted tokens signed with the “none” algorithm — an unsigned token was a valid token. Practical effect: any user could be impersonated, including administrators, by crafting a token by hand.
Case Study / Web application VAPT
A fast-growing survey platform processing increasingly sensitive business feedback engaged us for an end-to-end vulnerability assessment and penetration test. The platform had scaled quickly; its security review hadn't kept pace with its data.
Fast-growing SaaS survey platform · Middle East
The JWT implementation accepted tokens signed with the “none” algorithm — an unsigned token was a valid token. Practical effect: any user could be impersonated, including administrators, by crafting a token by hand.
User-uploaded files lived in a world-readable Amazon S3 bucket. Anyone with the bucket name could enumerate and download customer uploads — no authentication involved.
Privilege checks were inconsistently enforced across endpoints; lower-privileged users could reach restricted functionality directly.
Uploads were accepted without sufficient content validation, opening a path for hostile files to enter the platform.
Full web-application assessment following the OWASP Top 10 methodology — manual testing for the logic and chaining that scanners can't reason about.
Each critical finding was demonstrated in a controlled way — not asserted from a scanner line — so severity discussions were about evidence, not opinion.
Findings were presented as attack chains (public bucket + token forgery + RBAC gaps = full data access) and translated into business consequences: financial, reputational, regulatory.
Fix guidance written for the engineers who would implement it, plus secure-coding workshops for the team.
Client identity is confidential by agreement. Findings are published with the client’s engagement anonymized; we never publish metrics we didn’t measure.
A 30-minute call with the engineers who will do the testing — not a sales gate.