Scott Helme

Open-Sourcing dbsc-php: a Server Library for Device Bound Session Credentials in PHP

We’ve open-sourced dbsc-php, a small PHP library that makes it easier to deploy Device Bound Session Credentials and turn stolen session cookies into something far less useful....

Free Post

Report URI

DBSC Beta at Report URI

This week, I published a blog post about Device Bound Session Credentials, a new technology that will significantly hamper the efforts of Infostealers and reduce the damage caused by stolen...

Device Bound Session Credentials: Making Stolen Cookies Useless

Free Post

Report URI

Device Bound Session Credentials: Making Stolen Cookies Useless

A stolen session cookie can be vastly more powerful than a stolen password. The attacker doesn’t need to phish the user, bypass MFA, or defeat their passkey; they simply...

Free Post

Passkeys

Passkeys, Permissions Policy and Bug Hunting in 1Password's WebAuthn Wrapper

Passkeys are the best thing to happen to web authentication in years, but a passkey ceremony is only as secure as the stack enforcing it. The browser, the relying party,...

Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP

Free Post

Report URI

Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP

We've open-sourced passkeys-php, the WebAuthn server library we use at Report URI to protect logins with passkeys, security keys, and platform authenticators like Touch ID, Face...

XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

Free Post

XSS

XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

A single XSS vulnerability can turn passkeys from a phishing-resistant login mechanism into a persistent account takeover backdoor. If malicious JavaScript can run on your page, it may be...

Free Post

Passkeys

Passkeys 101: An Introduction to Passkeys and How They Work

Passwords have been the weak point in online authentication for decades. They can be reused, guessed, stolen, phished, leaked, sprayed, stuffed, and captured by malware. Passkeys are one of the...

Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive

Free Post

Report URI

Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive

One malicious change to a trusted JavaScript file can turn your checkout page into a silent credit-card skimmer, siphoning customer data off to criminals while the website looks secure...

Under Attack: Responding to the Rise of Info-Stealer Threats

Free Post

Report URI

Under Attack: Responding to the Rise of Info-Stealer Threats

We recently received a claim that Report URI had been breached and that customer credentials had been stolen. The claim was false: we do not store passwords in a recoverable...

Security considerations when using Passkeys on your website

Free Post

Report URI

Security considerations when using Passkeys on your website

Passkeys are awesome and that's why we implemented them on Report URI! You can read about our implementation here and get the basics on how Passkeys work and...

Scott Helme

Hi, I'm Scott Helme, a Security Researcher, Entrepreneur and International Speaker. I'm the creator of Report URI and Security Headers, and I deliver world renowned training on Hacking and Encryption.

Open-Sourcing dbsc-php: a Server Library for Device Bound Session Credentials in PHP

DBSC Beta at Report URI

Device Bound Session Credentials: Making Stolen Cookies Useless

Passkeys, Permissions Policy and Bug Hunting in 1Password's WebAuthn Wrapper

Open-Sourcing passkeys-php: A Security-Focused WebAuthn Library for PHP

XSS Is Deadly for Passkeys: The Hidden Risk of Attestation None

Passkeys 101: An Introduction to Passkeys and How They Work

Anatomy of a WooCommerce Skimmer: A Technical Deep-Dive

Under Attack: Responding to the Rise of Info-Stealer Threats

Security considerations when using Passkeys on your website

Upcoming Events

Cheat Sheets

Projects

Upcoming Events

Cheat Sheets

Projects

Follow