API Penetration Test — Critical Auth Bypass
The Discovery
During the assessment, I noticed that the API was not strictly enforcing the RS256 algorithm for JWT verification.
JWT Algorithm Confusion
By changing the header alg from RS256 to HS256 and signing the token with the server's public key (which was publicly accessible via .well-known/jwks.json), I was able to forge a valid administrative token.
Proof of Concept
I wrote a Python script to automate the token generation:
import jwt
public_key = open('public.pem').read()
admin_payload = {"user_id": 1, "role": "admin"}
forged_token = jwt.encode(admin_payload, public_key, algorithm='HS256')
Remediation
The fix involved updating the JWT library configuration to explicitly allow only the RS256 algorithm for signature verification, regardless of what the token header claimed.
Conclusion
This finding prevented a potentially massive data breach and ensured the enterprise customer audit passed successfully.
The Context
An internal REST API powering a SaaS platform was flagged for security review before a major enterprise customer audit.
The Approach
Performed black-box API penetration testing using Burp Suite Pro and custom Python scripts. Focused on authentication flows, JWT handling, BOLA/BFLA, and rate-limiting controls.
The Impact
Discovered a critical authentication bypass via JWT algorithm confusion (CVE-class). Delivered a technical report with proof-of-concept, CVSS scoring, and a step-by-step remediation guide. Issue was patched and re-tested within 72 hours.