Скачать или смотреть Breaking and securing OAuth 2.0 in frontends at NDC Security - Philippe De Ryck - NDC Security 2025

This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity #ndcconferences #security #developer #softwaredeveloper

Attend the next NDC conference near you:
https://ndcconferences.com
https://ndc-security.com/

Subscribe to our YouTube channel and learn every day: ‪@NDC‬

Follow our Social Media!

  / ndcconferences  
  / ndc_conferences  
  / ndc_conferences  

#application #security

Two years ago, I spoke at NDC Security on the insecurity of OAuth 2.0 in frontend web applications. Through concrete demos, I showed how OAuth 2.0 could widen the attack surface in the presence of an XSS vulnerability. These demos exposed the shortcomings of the "OAuth 2.0 for browser-based apps" specification at the time. That talk sparked a series of events that led to my role as a co-author of the spec, driving a major restructuring and refinement process.

In this follow-up session, I'll cover the nearly finalized RFC on OAuth 2.0 for browser-based apps. We'll explore the specific threats posed by XSS vulnerabilities and discuss strategies to enhance application security. Additionally, we'll dive into the best practice of using a Backend-For-Frontend (BFF) approach, demonstrating how its implementation has minimal impact on development. You'll leave with a clear understanding of OAuth 2.0 security in frontends and practical steps for securing sensitive applications.