Problem: The API gateway accepted both RS256 and HS256 JWT algorithms. An attacker could forge valid tokens for any user by signing an HS256 token with the public key as the HMAC secret. Automated scanners did not detect it — only manual JWT manipulation found the flaw.
Solution: Explicitly configured the JWT middleware to reject any token not using RS256. JWT algorithm whitelist added to the CI test suite so a future configuration change cannot re-enable HS256. Two additional medium-severity findings (rate limiting gap, verbose error stack traces) remediated in the same sprint.
Technology: Burp Suite · JWT manipulation · Semgrep · GitHub Actions
Optimisation pattern: algorithm-confusion-to-explicit-rs256-whitelist
Outcomes:
Critical vulnerability closed and re-tested in 4 days. PCI DSS Level 1 audit passed. JWT algorithm whitelist prevents regression in CI.