The insecurity of OAuth 2.0 in frontends – Philippe de Ryck – NDC Security 2023

5 Comments | Other By · 06/04/2023



The insecurity of OAuth 2.0 in frontends – Philippe de Ryck – NDC Security 2023

The insecurity of OAuth 2.0 in frontends - Philippe de Ryck - NDC Security 2023

Everyone agrees that Cross-Site Scripting (XSS) is a real threat to browser-based applications, but many underestimate the true power of XSS. In fact, various OAuth 2.0 security mechanisms for frontends, such as refresh token rotation or token isolation in workers, fail to look beyond script kiddie XSS attacks.

In this talk, we take an in-depth look at the consequences of XSS in frontend OAuth 2.0 clients. We explore real-world attacker capabilities and map them against a concrete threat model. We also explore how structural solutions like the Backend-for-Frontend pattern effectively increase the security of frontend applications. By the end of this session, you will have the necessary knowledge to assess the security of your frontends and choose the appropriate defense strategy.

Check out our new channel:
NDC Clips:
https://www.youtube.com/@UCDAfoBRLbriD_c4F-DznWcA

Check out more of our featured speakers and talks at
https://ndcconferences.com/
https://ndc-security.com/

Comments are closed.

53GB.COM GPTSTORE CPU Yougpt Gptsio Gpt-store-Nav