Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

Weakness ID: 441
Abstraction: Class
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software receives a request, message, or directive from an upstream component, but the software does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the software's control sphere. This causes the software to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Extended Description

If an attacker cannot directly contact a target, but the software has access to the target, then the attacker can send a request to the software and have it be forwarded from the target. The request would appear to be coming from the software's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker.

Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when:

  • The software runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component;

  • The attacker is prevented from making the request directly to the target; and

  • The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources.

+ Alternate Terms
Confused Deputy:

This weakness is sometimes referred to as the "Confused deputy" problem, in which an attacker misused the authority of one victim (the "confused deputy") when targeting another victim.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Common Consequences
Access Control

Technical Impact: Gain privileges / assume identity; Hide activities

+ Observed Examples
FTP bounce attack. The design of the protocol allows an attacker to modify the PORT command to cause the FTP server to connect to other machines besides the attacker's.
RPC portmapper could redirect service requests from an attacker to another entity, which thinks the requests came from the portmapper.
FTP server does not ensure that the IP address in a PORT command is the same as the FTP user's session, allowing port scanning by proxy.
Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning.
CGI script accepts and retrieves incoming URLs.
Bounce attack allows access to TFTP from trusted side.
Web-based mail program allows internal network scanning using a modified POP3 port number.
URL-downloading library automatically follows redirects to file:// and scp:// URLs
+ Potential Mitigations

Phase: Architecture and Design

Enforce the use of strong mutual authentication mechanism between the two parties.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class610Externally Controlled Reference to a Resource in Another Sphere
Development Concepts (primary)699
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfCategoryCategory956SFP Secondary Cluster: Channel Attack
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts1000
RequiredByCompound Element: CompositeCompound Element: Composite352Cross-Site Request Forgery (CSRF)
Research Concepts1000
RequiredByCompound Element: CompositeCompound Element: Composite384Session Fixation
Research Concepts1000
ParentOfWeakness BaseWeakness Base918Server-Side Request Forgery (SSRF)
Development Concepts (primary)699
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
PeerOfWeakness VariantWeakness Variant611Improper Restriction of XML External Entity Reference ('XXE')
Research Concepts1000
+ Relationship Notes

This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.

+ Theoretical Notes

It could be argued that the "confused deputy" is a fundamental aspect of most vulnerabilities that require an active attacker. Even for common implementation issues such as buffer overflows, SQL injection, OS command injection, and path traversal, the vulnerable program already has the authorization to run code or access files. The vulnerability arises when the attacker causes the program to run unexpected code or access unexpected files.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnintended proxy/intermediary
PLOVERProxied Trusted Channel
WASC32Routing Detour
+ References
Norm Hardy. "The Confused Deputy (or why capabilities might have been invented)". 1988. <>.
+ Maintenance Notes

This could possibly be considered as an emergent resource.

+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings
2008-11-24CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-06-21CWE Content TeamMITREInternal
updated Other_Notes
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2013-02-21CWE Content TeamMITREInternal
updated Alternate_Terms, Applicable_Platforms, Description, Maintenance_Notes, Name, Observed_Examples, References, Relationship_Notes, Relationships, Theoretical_Notes, Type
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships
2017-01-19CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2013-02-21Unintended Proxy/Intermediary

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017