tags: #publish links: [[Security]] created: 2021-11-29 Mon --- # Confused deputy problem Cross-account privilege escalation: a more-privileged intermediary is tricked into performing actions on behalf of the attacker. If Bob has permission to perform an action on Alice's account, but Mallory does not; Mallory can try to trick Bob into performing malicious actions for Mallory against Alice. ## Prevention Instead of verifying that the executor has permission, verify that the initiator has permission. Capability-based security is one way to do this. Make it so you can only obtain a **capability** - a handle to perform an action, like a file descriptor - if *you* have permission to perform it. That is, the request becomes semantically something like: ``` capability = getActionAsMallory(actionName) callBobToPerformAction(capability) ``` so that the permission check is in the `getAction` call, and is checked against Mallory the initiator, instead of Bob the executor.