CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Weakness ID: 441
The software receives a request, message, or directive from an upstream component, but the software does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the software's control sphere. This causes the software to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
If an attacker cannot directly contact a target, but the software has access to the target, then the attacker can send a request to the software and have it be forwarded from the target. The request would appear to be coming from the software's system, not the attacker's system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker.
Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when:
The software runs with different privileges or on a different system, or otherwise has different levels of access than the upstream component;
The attacker is prevented from making the request directly to the target; and
The attacker can create a request that the proxy does not explicitly intend to be forwarded on the behalf of the requester. Such a request might point to an unexpected hostname, port number, or service. Or, the request might be sent to an allowed service, but the request could contain disallowed directives, commands, or resources.
This weakness is sometimes referred to as the "Confused deputy"
problem, in which an attacker misused the authority of one victim (the
"confused deputy") when targeting another victim.
Time of Introduction
Architecture and Design
Technical Impact: Gain privileges / assume
identity; Hide activities
This weakness has a chaining relationship with CWE-668 (Exposure of Resource to Wrong Sphere) because the proxy effectively provides the attacker with access to the target's resources that the attacker cannot directly obtain.
It could be argued that the "confused deputy" is a fundamental aspect of
most vulnerabilities that require an active attacker. Even for common
implementation issues such as buffer overflows, SQL injection, OS command
injection, and path traversal, the vulnerable program already has the
authorization to run code or access files. The vulnerability arises when the
attacker causes the program to run unexpected code or access unexpected