Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Confused deputy problem
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Other examples == [[File:Don Knotts Barney and the bullet Andy Griffith Show.jpg|thumb|Prototypical confused deputy [[Barney Fife]]]] A [[cross-site request forgery]] (CSRF) is an example of a confused deputy attack that uses the [[web browser]] to perform sensitive actions against a web application. A common form of this attack occurs when a web application uses a cookie to authenticate all requests transmitted by a browser. Using [[JavaScript]], an attacker can force a browser into transmitting authenticated [[HTTP]] requests. The [[Samy (computer worm)|Samy computer worm]] used [[cross-site scripting]] (XSS) to turn the browser's authenticated MySpace session into a confused deputy. Using XSS the worm forced the browser into posting an executable copy of the worm as a MySpace message which was then viewed and executed by friends of the infected user. [[Clickjacking]] is an attack where the user acts as the confused deputy. In this attack a user thinks they are harmlessly browsing a website (an attacker-controlled website) but they are in fact tricked into performing sensitive actions on another website.<ref>{{cite web|url=http://waterken.sourceforge.net/clickjacking/|title=clickjacking: The Confused Deputy rides again!|work=sourceforge.net}}</ref> An [[FTP bounce attack]] can allow an attacker to connect indirectly to [[Transmission Control Protocol|TCP]] [[TCP ports|ports]] to which the attacker's machine has no access, using a remote [[FTP]] server as the confused deputy. Another example relates to [[personal firewall]] software. It can restrict Internet access for specific applications. Some applications circumvent this by starting a browser with instructions to access a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking "OK" to these prompts.<ref>Alfred Spiessens: Patterns of Safe Collaboration, PhD thesis. http://www.evoluware.eu/fsp_thesis.pdf Section 8.1.5</ref> Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)