[cap-talk] Confused Deputy gets a new name in Web 2.0 lingo
Ka-Ping Yee
cap-talk at zesty.ca
Mon Oct 16 23:51:56 CDT 2006
On Mon, 16 Oct 2006, Tyler Close wrote:
> The Confused Deputy attack occurs because authorizations are not
> reified, but are instead inferred based on the identity of the
> requestor. So I don't understand what you mean about seeing the cookie
> as being an authorization in a Confused Deputy attack.
It isn't, in my opinion. That's why i wrote what i did. Your position
is the one that seems to interpret the cookie as an authorization.
In a confused deputy situation, the deputy inadvertently abuses authority.
Is it the browser or the bank that is making the decision to exercise
the authority? I say the bank. If you prefer to say the browser, you
can, it just means that you have chosen to see the browser as conveying
an authorization to the bank.
-- ?!ng
More information about the cap-talk
mailing list