Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

SQL Injection Legalities

From: "Deus, Attonbitus" <Thor () HammerofGod com>
Date: Wed, 17 Jul 2002 09:48:01 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I hesitate asking the group about law, but here goes:

Lets say a site gives you the capability to search their product-base via a 
web input box.  You know, the standard search/submit deal.

You type in "bicycle" and it gives you everything that starts with 
"bicycle."  Simple enough.  As we all know, web app susceptibility to SQL 
injects runs amok; lets say in this case that instead of typing "bicycle," 
I type "bicycle' or 1=1--" and get all the products.  Have I broken the 
law?  More specifically, have I broken the law in the US?

One could argue that the site is allowing me to specify what I want to see, 
and all I am doing is typing in what I want...  Though the developer may 
not have intended for me to pull up the data like that, does my doing so 
constitute a crime?

I'm not looking for ethical or moral debate here, I am hoping someone has 
some distinct legal experience who knows.  Thanks.

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv
ANJ4aOg8vjqGS5JSZK2V5Hyt
=nm/7
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: