The insecurity of OAuth 2.0 in frontends - Philippe de Ryck - NDC Security 2023

Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, but many underestimate the true power of XSS. In fact, various OAuth 2.0 security mechanisms for frontends, such as refresh token rotation or token isolation in workers, fail to look beyond script kiddie XSS attacks. In this talk, we take an in-depth look at the consequences of XSS in frontend OAuth 2.0 clients. We explore real-world attacker capabilities and map them against a concrete threat model. We also explore how structural solutions like the Backend-for-Frontend pattern effectively increase the security of frontend applications. By the end of this session, you will have the necessary knowledge to assess the security of your frontends and choose the appropriate defense strategy. Check out our new channel: NDC Clips: ‪@ndcclips‬ Check out more of our featured speakers and talks at https://ndcconferences.com/ https://ndc-security.com/

Join Today
Introducing the OWASP Top 10 for Kubernetes - Steve Wade - NDC Security 2023
▶︎

Introducing the OWASP Top 10 for Kubernetes - Steve Wade - NDC Security 2023

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier
▶︎

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier

Forget about OAuth 2.0. Here comes OAuth 2.1 - Philippe De Ryck - NDC Oslo 2022
▶︎

Forget about OAuth 2.0. Here comes OAuth 2.1 - Philippe De Ryck - NDC Oslo 2022

Getting API security right - Philippe De Ryck - NDC London 2023
▶︎

Getting API security right - Philippe De Ryck - NDC London 2023

OAuth 2.0 and OpenID Connect (in plain English)
▶︎

OAuth 2.0 and OpenID Connect (in plain English)

The Past, Present, and Future of Cross-Site/Cross-Origin Request Forgery - Philippe de Ryck
▶︎

The Past, Present, and Future of Cross-Site/Cross-Origin Request Forgery - Philippe de Ryck

Breaking and securing OAuth 2.0 in frontends at NDC Security - Philippe De Ryck - NDC Security 2025
▶︎

Breaking and securing OAuth 2.0 in frontends at NDC Security - Philippe De Ryck - NDC Security 2025

Introduction to OAuth 2.0 and OpenID Connect By Philippe De Ryck
▶︎

Introduction to OAuth 2.0 and OpenID Connect By Philippe De Ryck

MIT Just Revealed the AI Bubble's Fatal Flaw
▶︎

MIT Just Revealed the AI Bubble's Fatal Flaw

The Future of Cookies - Anders Abel - NDC Security 2024
▶︎

The Future of Cookies - Anders Abel - NDC Security 2024

7 Authentication Concepts Every Developer Should Know
▶︎

7 Authentication Concepts Every Developer Should Know

Oauth Gadget Correlation and Common Attacks (Ep. 110)
▶︎

Oauth Gadget Correlation and Common Attacks (Ep. 110)

Supercharging OAuth 2.0 security - Philippe De Ryck - NDC Oslo 2025
▶︎

Supercharging OAuth 2.0 security - Philippe De Ryck - NDC Oslo 2025

OAuth 2 0 and OpenID Connect for Single Page Applications Philippe De Ryck
▶︎

OAuth 2 0 and OpenID Connect for Single Page Applications Philippe De Ryck

OAuth and Proof of Possession - The long way round - Dominick Baier - NDC Oslo 2023
▶︎

OAuth and Proof of Possession - The long way round - Dominick Baier - NDC Oslo 2023

#NahamCon2024: OAuth Secret | @BugBountyReportsExplained
▶︎

#NahamCon2024: OAuth Secret | @BugBountyReportsExplained

OAuth and the long way to Proof of Possession - Dominick Baier & Steinar Noem - NDC Security 2023
▶︎

OAuth and the long way to Proof of Possession - Dominick Baier & Steinar Noem - NDC Security 2023

An Illustrated Guide to OAuth and OpenID Connect
▶︎

An Illustrated Guide to OAuth and OpenID Connect

Getting Single Page Application Security Right by Philippe De Ryck
▶︎

Getting Single Page Application Security Right by Philippe De Ryck

Introduction to OAuth 2.0 and OpenID Connect • Philippe De Ryck • GOTO 2018
▶︎

Introduction to OAuth 2.0 and OpenID Connect • Philippe De Ryck • GOTO 2018