[cap-talk] Confused Deputies in Capability Systems - not

Tyler Close tyler.close at gmail.com
Mon Feb 23 12:51:56 EST 2009 

On Mon, Feb 23, 2009 at 3:36 AM, Jed Donnelley <capability at webstart.com> wrote:
> On a related topic, in doing some research for this message
> I looked a bit at the description of "clickjacking":
>
> http://en.wikipedia.org/wiki/Clickjacking
>
> which is also referred to on:
>
> http://en.wikipedia.org/wiki/Confused_deputy_problem
>
> where it says the clickjacking category "can be analysed as confused
> deputy attacks".  I don't agree with this statement.  I believe
> something else is going on with "clickjacking" where the user
> is being fooled into executing code supplied by a malicious
> user due to the nature of an interface.

In "ACLs don't" <http://waterken.sf.net/aclsdont/>, I wrote:

"""
An HTML link is a request for the browser to place
named content at a specified on-screen location. When
the browser includes cookies in the GET request to
fetch the content, it is acting as a Confused Deputy.
Like in the compilation scenario, the requestor does
not have permission to access the named resource, but
can provide the resource's name to the deputy, who
will access the resource on the requestor's behalf. In
clickjacking, the requestor is the creator of the HTML
link and the deputy is again the Web browser. A full
listing of the corresponding elements in the attacks is
shown in Table 3. This formulation of a Confused
Deputy attack is quite similar to the previously discussed
CSRF attack. In that attack, the attacker causes
a POST request to a victim site, accompanied by the
victim site's cookies. Clickjacking can similarly be
thought of as an attack in which the attacker causes
a GET request to a victim site, accompanied by the
victim site's cookies. In a CSRF attack, the payoff to
the attacker comes from the side-effects of the POST
request. In a clickjacking attack, the payoff comes
from the on-screen positioning of private controls.
Gratification is slightly delayed in the clickjacking
attack, since it doesn't come until the user clicks, but
the subterfuge comes before the final click, in the set
up of the click target.
"""

There's still more explanation in the surrounding text in the paper.
Does this clarify the Confused Deputy nature of clickjacking for you?

--Tyler

More information about the cap-talk mailing list