Practical Security

Security is hard, we know because we've been in the business of making web security easier for over 11 years.

We take complex security issues, break them down into tiny problems, and thoroughly solve each one. Our goal is to provide practical security tools, solutions, and education to help make all applications safer. On this site you'll find all of our thoughts, ideas, projects, and research.

Projects

Passprotect

A browser extension and JavaScript that alerts you if the password you're using to authenticate to a website has been involved in a breach.

View Website

JPaseto

The simplest and most secure implementation of the PASETO token standard on the JVM. Has gone through extensive security audits.

View on GitHub

Implicit Flow Detector

A browser extension that lets you know when a website is using the deprecated OAuth/OpenID Connect Implicit Flow. This extension helps detect weak authentication mechanisms in websites so you can alert website admins.

View Website

Articles

SAML Certificate Security: The Latest Findings and Potential Impacts

Recently, the National Security Agency (NSA) published new findings that reference how previously discovered tactics, techniques, and procedures...

More Than Subdomain Takeover: Ways To Takeover, Hijack And Impersonate Your Website

In my last post about subdomain takeovers, we talked about what subdomain takeovers are and how hackers can use them to attack shared-session SSO....

Building A Subdomain Takeover Monitor

In a previous article, we talked about the different types of subdomain takeovers and how hackers can use them to attack SSO systems. The impact of a...