SQL Injection Legalities
From: Deus, Attonbitus (Thor@HammerofGod.com)Date: 07/17/02
- Previous message: Johan Denoyer: "Pen-Testing contracts"
- Next in thread: darrell@cpp.com: "RE: SQL Injection Legalities"
- Reply: darrell@cpp.com: "RE: SQL Injection Legalities"
- Reply: Michael Deyo: "RE: SQL Injection Legalities"
- Reply: Quickfinger: "Re: SQL Injection Legalities"
- Reply: Weaver, Woody: "RE: SQL Injection Legalities"
- Reply: Deus, Attonbitus: "RE: SQL Injection Legalities"
- Reply: Weaver, Woody: "RE: SQL Injection Legalities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Jul 2002 09:48:01 -0700 To: Pen-Test <PEN-TEST@SECURITYFOCUS.COM> From: "Deus, Attonbitus" <Thor@HammerofGod.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I hesitate asking the group about law, but here goes:
Lets say a site gives you the capability to search their product-base via a
web input box. You know, the standard search/submit deal.
You type in "bicycle" and it gives you everything that starts with
"bicycle." Simple enough. As we all know, web app susceptibility to SQL
injects runs amok; lets say in this case that instead of typing "bicycle,"
I type "bicycle' or 1=1--" and get all the products. Have I broken the
law? More specifically, have I broken the law in the US?
One could argue that the site is allowing me to specify what I want to see,
and all I am doing is typing in what I want... Though the developer may
not have intended for me to pull up the data like that, does my doing so
constitute a crime?
I'm not looking for ethical or moral debate here, I am hoping someone has
some distinct legal experience who knows. Thanks.
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv
ANJ4aOg8vjqGS5JSZK2V5Hyt
=nm/7
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Johan Denoyer: "Pen-Testing contracts"
- Next in thread: darrell@cpp.com: "RE: SQL Injection Legalities"
- Reply: darrell@cpp.com: "RE: SQL Injection Legalities"
- Reply: Michael Deyo: "RE: SQL Injection Legalities"
- Reply: Quickfinger: "Re: SQL Injection Legalities"
- Reply: Weaver, Woody: "RE: SQL Injection Legalities"
- Reply: Deus, Attonbitus: "RE: SQL Injection Legalities"
- Reply: Weaver, Woody: "RE: SQL Injection Legalities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
