Collaborate Disseminate
According to Wikipedia (https://en.wikipedia.org/wiki/Confused_deputy_problem):
In information security, the confused deputy problem is often cited as
an example of why capability-based security is important, as
capab… Continue reading Why do capability-based security systems protect against the confused deputy problem?
POST /api/v2/—-?———– HTTP/1.1
Host: www.—–.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-… Continue reading Getting confused in CORS vulnerability?
Confused Deputy Problem (also known as ‘The Devil Wears Prada’) is an OAuth 2 vulnerability arising when the protocol is used for authentication. Essentially, a malicious client obtains a token for a user, and presents this t… Continue reading Is the OAuth 2 authorization code flow vulnerable to the Confused Deputy Problem?
In a command injection you trick a service into doing something for you that it would not normally do. Does that mean that command injections are examples of (exploiting) confused deputies? Does the reverse also hold?
More generally, are … Continue reading Are command injections examples of confused deputies?
Excerpt from Here:
If a cross-origin resource redirects to another resource at a new origin, the browser will set the value of the Origin header to null after redirecting. This prevents additional confused deputy attacks,… Continue reading How does setting Origin to null in a redirected CORS request protect against a confused deputy attack?
I am trying to understand how one can prevent CSRF attacks. From what I have read and understood online, it seems to me that CSRF Tokens or using say the Origin header for CSRF prevention basically blocks all cross origin req… Continue reading Does the use of CSRF Tokens as a defense mechanism block all Cross-Origin Requests?
I am trying to understand how one can prevent CSRF attacks. From what I have read and understood online, it seems to me that CSRF Tokens or using say the Origin header for CSRF prevention basically blocks all cross origin req… Continue reading Does the use of CSRF Tokens as a defense mechanism block all Cross-Origin Requests?
Specifically, do I have to worry about the confused deputy problem if I’m just trying to authorize a user against a single API?
For example: a basic messaging service will want to authenticate and then authorize a user to se… Continue reading Is it safe to use OAuth (Resource Owner Password Credentials Grant) for authentication?
The OAuth 2.0 specification’s authorization code mechanism includes redirect URI checking from the site you redirect to. See steps D and E in section 4.1 of the spec. Also, section 4.1.3 describes in detail that the redirected-to client ne… Continue reading What is the purpose of OAuth 2.0 redirect_uri checking?