PentesterLab's Blog: Insights, weekly research highlights, and deep dives into web security, code review, and pentesting.

How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit

As part of our CVE monitoring, we came across GHSA-pcq9-mq6m-mvmp (CVE-2025-68402), an authentication bypass in FreshRSS, a self-hosted RSS aggregator. It ...

By Louis Nyffenegger March 10, 2026 · 10 min read

Filter: All Research APPSEC AuthZ CAREER Code Review Insight JWT PENTESTING

JWT

CVE-2026-23993: JWT authentication bypass in HarbourJwt via “unknown alg”

I didn't know Harbour even existed as a language when I found this bug. The fun part is that I also ...

Louis Nyffenegger Jan 21, 2026 · 8 min read

JWT

The Ultimate Guide to JWT Vulnerabilities and Attacks (with Exploitation Examples)

JSON Web Tokens (JWTs) are widely used for authentication, authorization, and secure information exchange in modern web applications. They're often used ...

Louis Nyffenegger May 5, 2025 · 33 min read

JWT

The State of JWT Libraries on JWT.io: A Security Concern

JWT.io is widely known among developers for its convenient JWT debugger and its curated list of libraries supporting JSON Web Tokens ...

Louis Nyffenegger Mar 28, 2025 · 4 min read

JWT

Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150

Recently, I was in Brisbane to give a talk on JWT algorithm confusion vulnerabilities. During a conversation with my friend Luke ...

Louis Nyffenegger Dec 20, 2024 · 7 min read

JWT

How to Securely Design Your JWT Library

I've read the source code of many JWT libraries—some might say, too many. In doing so, I've seen patterns of both ...

Louis Nyffenegger Dec 10, 2024 · 6 min read

JWT Code Review

How JWT Libraries Block Algorithm Confusion: Key Lessons for Code Review

When I wrote the first lab on algorithm confusion, I remember spending a bit of time trying to find a vulnerable ...

Louis Nyffenegger Nov 20, 2024 · 25 min read

JWT

How split() Can Prevent None Exploitation in JWT Validation

When doing security code review, you sometimes come across infuriating code—code that appears to be vulnerable but isn't, due to unexpected ...

Louis Nyffenegger Nov 13, 2024 · 7 min read

JWT

Algorithm Confusion Attacks against JWT using ECDSA

JSON Web Tokens (JWT) are widely used for authentication in modern applications. As their use increases, so does the importance of ...

Louis Nyffenegger Aug 3, 2023 · 5 min read