Confused deputy problem

[2] In the original example of a confused deputy,[3] there was a compiler program provided on a commercial timesharing service.

A user ran the compiler and named "(SYSX)BILL" as the desired debugging output file.

The compiler made a request to the operating system to open (SYSX)BILL.

A common form of this attack occurs when a web application uses a cookie to authenticate all requests transmitted by a browser.

Using JavaScript, an attacker can force a browser into transmitting authenticated HTTP requests.

The Samy computer worm used cross-site scripting (XSS) to turn the browser's authenticated MySpace session into a confused deputy.

Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network.

The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party.

In the cross-site request forgery example, a URL supplied "cross"-site would include its own authority independent of that of the client of the web browser.