Skip to main content

Posts

JWTweak v2.1 – A Guided, Offline Toolkit for Modern JWT Attacks

Introduction JSON Web Tokens sit at the heart of modern authentication – and because the token travels in the user’s hands, a single weak check on the server side can hand an attacker an admin account. JWTweak was built to test for exactly these flaws. It started as a small utility to switch a token’s algorithm and re-issue it in seconds, helping security enthusiasts hunt for issues like the JWT Algorithm Confusion Attack. Version 2.1 is a complete rewrite into a guided, menu-driven toolkit: you paste a token, it decodes and risk-analyses it, recommends the attacks that fit, and walks you through each one – entirely offline, with no flags to memorise. In this post we’ll tour the tool and then break into a deliberately vulnerable app with two live proof-of-concept attacks.

The Silent Takeover: Why Your AI Agent is a Security Nightmare in 2026

Look, if you’re still testing AI by just asking it to "tell me how to build a bomb" and checking if it says "I can't do that," you’re about three years behind the curve. In 2026, AI VAPT (Vulnerability Assessment and Penetration Testing) has moved way past basic jailbreaking. We’re now dealing with Agentic Workflows —where the AI isn't just a chatbot, but an employee with access to your Gmail, Drive, and internal APIs.

Credentials Bruteforce Bypass via Password Spraying Attack

I wrote about Password Spraying Attacks on OWASP , where I explained how this technique differs from traditional brute force attacks. In simple terms, Password spraying is a variant of brute force attack methodology employed by malicious actors to gain unauthorized access to a system or application. In this type of attack, the assailant systematically attempts logins by using a list of usernames in conjunction with a single password—often a commonly used or default password. Unlike traditional brute force attacks, where multiple passwords are tried against a single account, password spraying involves trying one password across numerous accounts to evade account lockout mechanisms that would typically be triggered by repeated attempts on a single account. In this blog, I’m sharing the same insights with some additional context for readers of my personal site. Understanding this attack and its mitigations is crucial to building stronger defenses against evolving threats.

Understanding the CISSP Exam Pattern: Is There Negative Marking?

The  Certified Information Systems Security Professional(CISSP)  certification, offered by (ISC)², is one of the most recognized credentials in the cybersecurity industry . It validates an individual’s ability to design, implement, and manage a best-in-class cybersecurity program. Let’s break down the CISSP exam structure and address a common question:  Is there negative marking in the CISSP exam?

Cloud Security Posture Management (CSPM) in 2024: Benefits & AWS Setup

Cloud Security Posture Management (CSPM) represents a proactive approach to cloud security, focusing on the continuous monitoring and assessment of cloud infrastructure. In today's digital landscape, where cloud adoption has become ubiquitous, organizations face an ever-evolving array of security challenges. CSPM serves as a critical component in identifying and mitigating potential security risks, ensuring that cloud environments remain secure and compliant.

Exploiting the Localhost Vulnerabilities on Custom Public Domains

Understanding Localhost and Its Security Implications Localhost, often referred to as 127.0.0.1 or simply “home,” is a loopback network interface that a computer uses to communicate with itself. Predominantly used in software development, localhost facilitates the testing and debugging of applications in a controlled environment, separate from external networks. This isolation is crucial for developers to ensure the functionality and security of their code before deploying it to a live server.