[cap-talk] Confused Deputy gets a new name in Web 2.0 lingo
cap-talk at zesty.ca
Mon Oct 16 23:51:56 CDT 2006
On Mon, 16 Oct 2006, Tyler Close wrote:
> The Confused Deputy attack occurs because authorizations are not
> reified, but are instead inferred based on the identity of the
> requestor. So I don't understand what you mean about seeing the cookie
> as being an authorization in a Confused Deputy attack.
It isn't, in my opinion. That's why i wrote what i did. Your position
is the one that seems to interpret the cookie as an authorization.
In a confused deputy situation, the deputy inadvertently abuses authority.
Is it the browser or the bank that is making the decision to exercise
the authority? I say the bank. If you prefer to say the browser, you
can, it just means that you have chosen to see the browser as conveying
an authorization to the bank.
More information about the cap-talk