Breaking and securing OAuth 2.0 in frontends at NDC Security - Philippe De Ryck - NDC Security 2025

This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity #ndcconferences #security #developer #softwaredeveloper Attend the next NDC conference near you: https://ndcconferences.com https://ndc-security.com/ Subscribe to our YouTube channel and learn every day: @NDC Follow our Social Media! https://www.facebook.com/ndcconferences https://twitter.com/NDC_Conferences https://www.instagram.com/ndc_conferences #application #security Two years ago, I spoke at NDC Security on the insecurity of OAuth 2.0 in frontend web applications. Through concrete demos, I showed how OAuth 2.0 could widen the attack surface in the presence of an XSS vulnerability. These demos exposed the shortcomings of the "OAuth 2.0 for browser-based apps" specification at the time. That talk sparked a series of events that led to my role as a co-author of the spec, driving a major restructuring and refinement process. In this follow-up session, I'll cover the nearly finalized RFC on OAuth 2.0 for browser-based apps. We'll explore the specific threats posed by XSS vulnerabilities and discuss strategies to enhance application security. Additionally, we'll dive into the best practice of using a Backend-For-Frontend (BFF) approach, demonstrating how its implementation has minimal impact on development. You'll leave with a clear understanding of OAuth 2.0 security in frontends and practical steps for securing sensitive applications.