[cap-talk] Confused Deputy gets a new name in Web 2.0 lingo
Ka-Ping Yee
cap-talk at zesty.ca
Mon Oct 16 22:51:57 CDT 2006
On Mon, 16 Oct 2006, Tyler Close wrote:
> "A cross-site request forgery is simply a confused deputy attack
> against a website. The deputy in the bank example is the bank website,
> which is confused into misusing Bob's authority at Alice's direction."
Yes, that's what i added.
> If so, I think it needs to be amended. The deputy role is being played
> by the web browser, not the bank website. The browser has been
> instantiated with some of the user's authority (the bank credentials)
> and some of the visited site's authority (the attack site).
I think it could be seen either way, depending on what you believe
the intended purpose of the cookie to be. If you see the cookie as
an authorization, then the web browser is inappropriately providing
that authorization and it is the confused deputy. If you see the
cookie as user authentication (which is how i see it), then the bank
is inappropriately exercising the user's authority when that
authorization has not been provided, so it is the confused deputy.
I chose the latter interpretation because i think most people see and
use cookies as a form of authentication, and it fits better with the
proposed solutions on that page (e.g. have the website put a session
token in a hidden form element).
-- ?!ng
More information about the cap-talk
mailing list