The insecurity of OAuth 2.0 in frontends - Philippe de Ryck - NDC Security 2023
Everyone agrees that CrossSite Scripting (XSS) is a real threat to browserbased applications, but many underestimate the true power of XSS. In fact, various OAuth 2.0 security mechanisms for frontends, such as refresh token rotation or token isolation in workers, fail to look beyond script kiddie XSS attacks.
In this talk, we take an indepth look at the consequences of XSS in frontend OAuth 2.0 clients. We explore realworld attacker capabilities and map them against a concrete threat model. We also explore how structural solutions like the BackendforFrontend pattern effectively increase the security of frontend applications. By the end of this session, you will have the necessary knowledge to assess the security of your frontends and choose the appropriate defense strategy.
Check out our new channel:
NDC Clips:
@ndcclips
Check out more of our featured speakers and talks at
https://ndcconferences.com/
https://ndcsecurity.com/
