Questions tagged [confused-deputy]

9 questions
35
votes
3 answers

What is the purpose of OAuth 2.0 redirect_uri checking?

The OAuth 2.0 specification's authorization code mechanism includes redirect URI checking from the site you redirect to. See steps D and E in section 4.1 of the spec. Also, section 4.1.3 describes in detail that the redirected-to client needs to…
Steven
  • 451
  • 1
  • 4
  • 4
11
votes
2 answers

How does setting Origin to null in a redirected CORS request protect against a confused deputy attack?

Excerpt from Here: If a cross-origin resource redirects to another resource at a new origin, the browser will set the value of the Origin header to null after redirecting. This prevents additional confused deputy attacks, but a cost of making it…
Raniz
  • 233
  • 2
  • 10
4
votes
1 answer

Why do capability-based security systems protect against the confused deputy problem?

According to Wikipedia (https://en.wikipedia.org/wiki/Confused_deputy_problem): In information security, the confused deputy problem is often cited as an example of why capability-based security is important, as capability systems protect…
dippynark
  • 143
  • 4
4
votes
1 answer

Are command injections examples of confused deputies?

In a command injection you trick a service into doing something for you that it would not normally do. Does that mean that command injections are examples of (exploiting) confused deputies? Does the reverse also hold? More generally, are command…
hkBst
  • 151
  • 3
2
votes
1 answer

OAuth + Confused Deputy + access token verification + state parameter

Google's "Using OAuth 2.0 for Client-side Application" article at https://developers.google.com/accounts/docs/OAuth2UserAgent states that the client MUST validate all access tokens to verify that it was the intended recipient of the access token, in…
2
votes
1 answer

Android, how do I prevent Confused Deputy Attacks?

In case that a malicious mobile app hasn't the appropriate permissions to e.g. download a file, it can invoke a browser to download sth. Concrete examples of such an attack are shown from page 27 to page 29 in Android Security Architecture. I want…
My-Name-Is
  • 389
  • 1
  • 5
  • 12
2
votes
1 answer

Is the OAuth 2 authorization code flow vulnerable to the Confused Deputy Problem?

Confused Deputy Problem (also known as 'The Devil Wears Prada') is an OAuth 2 vulnerability arising when the protocol is used for authentication. Essentially, a malicious client obtains a token for a user, and presents this to a second client. If…
1
vote
2 answers

Is it safe to use OAuth (Resource Owner Password Credentials Grant) for authentication?

Specifically, do I have to worry about the confused deputy problem if I'm just trying to authorize a user against a single API? For example: a basic messaging service will want to authenticate and then authorize a user to send a message. Using a…
d1str0
  • 2,348
  • 14
  • 24
0
votes
2 answers

Are CSRF tokens useful outside of web APIs?

I'm trying to understand CSRF tokens and one thing isn't making sense to me. For a web API, you can provide a CSRF token just once, on authentication, and expect the client to remember that token (using local storage or some other means) throughout…
Kate Jo
  • 3
  • 2