← All posts
researchJun 05, 2026·9 min read

What 500 automated pentests taught us about JWT handling

alg:none is dead, but weak secrets and unverified issuers are everywhere. The five JWT mistakes our AI finds most, ranked by real-world exploitability.

BO

Bogdan Chayka

chaosbyte crew

alg:none is dead, but weak secrets and unverified issuers are everywhere. After 500 automated pentests, we ranked the five JWT mistakes our AI finds most by how easily they turn into account takeover.

Why it matters

We keep seeing this pattern across the applications we test. It rarely shows up in a vulnerability scanner's signature list, because exploiting it means chaining a few small assumptions together the way a real attacker would — which is exactly what our AI is built to do.

What we recommend

Treat every trust boundary as hostile, verify server-side, and wire a check into your pipeline so a regression fails the build instead of shipping to production. If you want us to confirm whether you're exposed, point a free pentest at your URL and we'll have a prioritized report back in minutes.