What category does Confused Deputy belong to?

Confused Deputy belongs to the "Software Development" category in personal knowledge management and productivity.

What are the key topics related to Confused Deputy?

Key topics related to Confused Deputy include: security, software-engineering, vulnerabilities, access-control.

What are alternative names for Confused Deputy?

Confused Deputy is also known as: Confused deputy problem, Deputy attack.

Confused Deputy

A security vulnerability where a trusted program is tricked into misusing its authority on behalf of an attacker.

Also known as: Confused deputy problem, Deputy attack

Category: Software Development

Tags: security, software-engineering, vulnerabilities, access-control

Explanation

The confused deputy problem is a type of security vulnerability in which a computer program with legitimate authority (the 'deputy') is tricked by an attacker into misusing that authority. The deputy is confused because it cannot distinguish between requests from legitimate principals and requests from malicious ones, leading it to perform unauthorized actions using its own elevated privileges.

**The classic example**:

The term was coined by Norm Hardy in 1988, describing a compiler service that had permission to write to a billing directory. Users could specify an output file for compilation results. An attacker specified the billing file as the output, causing the compiler (the confused deputy) to overwrite billing records using its own write permissions — permissions the attacker did not have.

**Modern manifestations**:

- **Cross-site request forgery (CSRF)**: A web browser (deputy) is tricked into sending authenticated requests to a site on behalf of an attacker
- **SQL injection**: A database server (deputy) executes attacker-crafted queries using the application's database permissions
- **Server-Side Request Forgery (SSRF)**: A server (deputy) is tricked into making requests to internal resources on behalf of an attacker
- **Cloud IAM confusion**: A cloud service with broad permissions is tricked into accessing resources in other accounts
- **Clickjacking**: A browser (deputy) executes clicks intended for a hidden element

**Prevention strategies**:

- **Capability-based security**: Instead of ambient authority, explicitly pass capabilities (unforgeable references) that authorize specific actions
- **Principle of least privilege**: Minimize the permissions granted to any program or service
- **Input validation**: Verify that requests are legitimate and within expected parameters
- **CSRF tokens**: Include unguessable tokens in requests to verify their origin
- **Confused deputy mitigations in cloud**: Use external ID parameters, restrict cross-account trust policies

**Key insight**: The confused deputy problem arises from **ambient authority** — when a program's authority is determined by its identity rather than by explicit authorization tokens. The fundamental solution is to move from identity-based to capability-based authorization.

Related Concepts

Privilege Escalation
CIA Triad
Defense in Depth
Authorization

← Back to all concepts