Casco Supervised

Get the best of both worlds. Expert human security engineers and an autonomous pentesting agent.

Schedule a pentest Request sample pentest report

Cut Delays, Not Quality

Casco Supervised covers OWASP Top 10, OWASP API Top 10, OWASP LLM Top 10, OWASP Cloud Top 10, OWASP Agentic Threat Model, and proprietary threat vectors.

No time wasted on false-positives

Human security engineers from formerly AWS, NSA, and the US Military actively work on every pentest. They verify every finding to reduce false-positives.

Address findings as you go

Get findings as they're discovered. Ask any questions directly in a joint Slack channel, Teams chat, or email threads.

Trusted by teams building the future

Work with Expert Pentesters

Casco's forward-deployed offensive security engineers battle-tested their expertise at AWS, NSA, and the US Military.

Offensive
Security
Certifications

... and more

FAQs

Schedule a pentest to kick off the process. We need your domain(s) and any test credentials to get started immediately.

Clear findings — what to fix, and why it matters

You get full context, impact, and verification in one clear report.

Improper JWT Verification Leading to Cross-User Data Exposure in AI Claims Chat.

CRITICALCVSS 9.8

Summary

The endpoint accepts a client-supplied JWT but does not verify its signature or validate the claim against the authenticated session. An attacker can tamper the field to impersonate another user, causing the backend to fetch and feed that user’s private documents into the LLM, which then leaks sensitive data.

Business impact articulated

Impact

!Unauthorized disclosure of PII, health records, and underwriting notes.

!Violation of data-protection regulations (e.g., HIPAA).

!Significant reputational damage and potential legal liability.

Step-by-step reproduction

Reproduction

Obtain a valid JWT for User A.
Decode the JWT payload and change the sub claim to User B’s ID.
Re-encode the token without resigning.
Send a POST to /claims/chat with the modified JWT in Authorization.
Observe that the response (LLM summary) includes User B’s documents—confirming the backend never verified the signature or subject claim.

Recommendation

Enforce JWT signature validation on every request using the issuer’s public key.
Ensure the sub claim matches the authenticated user context before data retrieval.
Implement per-user authorization checks on document fetch APIs, rejecting mismatched subjects.
Log and alert on any failed or tampered JWT validations.

One-click Retest

Open

Proud OWASP sponsors

Gold Sponsor of OWASP AI Exchange to Advance AI Security

Learn more

Casco Supervised

Work with Expert Pentesters

FAQs

How do I get started?

How much does it cost?

How long does it take to get a report?

Can I use Casco Supervised pentest reports for compliance purposes?

Can it test authenticated scenarios and business logic flaws?

Do I get a direct line of communication with the security engineers?

How does the pentesting agent decide what to test and prioritize?

Do you offer retesting?

What's the balance between automated and human-supervised activities?

Can we define specific boundaries and out-of-scope systems?

What safeguards prevent the agent from causing system disruptions?

What kind of reports and documentation do we receive?

Can we get attestation letters for compliance purposes?

What can Casco Supervised perform security testing on?

What are the benefits of Casco Supervised over a fully automated pentest?

Clear findings — what to fix, and why it matters

Proud OWASP sponsors