Penetration Testing mailing list archives
RE: SQL Injection Legalities
From: Joe <junk () quickfinger com>
Date: Thu, 18 Jul 2002 11:00:34 -0500 (CDT)
This only applies to communications that cross state lines. If you, and the host you are attempting to exploit, are in the same state, it would fall under state law. Perhaps the argument could be made that the packets left the state while travelling between your two machines, but that's a matter for court precedents. On Wed, 17 Jul 2002 darrell () cpp com wrote:
Check out http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/47/sectio ns/section_1030.html I think you'll find your answer US Title 18: Part I: Chapter 47, Section 1030 -----Original Message----- From: Deus, Attonbitus [mailto:Thor () HammerofGod com] Sent: Wednesday, July 17, 2002 9:48 AM To: Pen-Test Subject: SQL Injection Legalities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hesitate asking the group about law, but here goes: Lets say a site gives you the capability to search their product-base via a web input box. You know, the standard search/submit deal. You type in "bicycle" and it gives you everything that starts with "bicycle." Simple enough. As we all know, web app susceptibility to SQL injects runs amok; lets say in this case that instead of typing "bicycle," I type "bicycle' or 1=1--" and get all the products. Have I broken the law? More specifically, have I broken the law in the US? One could argue that the site is allowing me to specify what I want to see, and all I am doing is typing in what I want... Though the developer may not have intended for me to pull up the data like that, does my doing so constitute a crime? I'm not looking for ethical or moral debate here, I am hoping someone has some distinct legal experience who knows. Thanks. AD
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Legalities Deus, Attonbitus (Jul 17)
- Re: SQL Injection Legalities Quickfinger (Jul 18)
- <Possible follow-ups>
- RE: SQL Injection Legalities darrell (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Michael Deyo (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)
- RE: SQL Injection Legalities Deus, Attonbitus (Jul 22)
- RE: SQL Injection Legalities Daniel Polombo (Jul 30)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)