Penetration Testing mailing list archives
RE: SQL Injection Legalities
From: Joe <junk () quickfinger com>
Date: Thu, 18 Jul 2002 11:33:14 -0500 (CDT)
I am not a lawyer. Moderator, feel free to reject. Comments in line. On Wed, 17 Jul 2002, Michael Deyo wrote:
All computers connected to the Internet potentially engage in interstate communication by the nature of the way in which the Internet operates, so this statue applies to all Internet hosts. The entire text of the Act can be viewed at http://www.usdoj.gov/criminal/cybercrime/1030_new.html.
Can you cite a court precedent? I would disagree. Yes, all computers connected to the internet potentially engage in interstate communication, but my interpretation of this law is that the "crime" must occur across state lines. Most hackers capable of using traceroute can prove their packets did or did not cross state lines. Alternatively, the hacker could simply use the same ISP as the target.
In your scenario, you were authorized to access the website and enter search terms at your discretion. I would argue that it is the responsibility of the computer system owner to communicate what types of activity are authorized and unauthorized. If there was specific communication that SQL injection constitutes unauthorized activity, and that only valid search terms should be entered, you have violated this Act. If, however, you accessed the site and had a reasonable belief that you held the privilege to enter any and all search terms, it would be difficult to prove intent to gain unauthorized access on your part. In addition, it is the responsibility of the system developer to include security mechanisms to prevent unauthorized access. You did not circumvent a security mechanism in this case.
Interesting observation. Kudos!
Another issue to examine is the degree of damage caused to the system as a result of the SQL injection. If you simply returned the entire product listing, this is a relatively benign activity. This is assuming that the information returned is not particularly sensitive, such as bank records, credit card numbers, or protected health information. If, however, you used SQL injection to modify information or destroy data, this is a more critical issue. This will certainly violate the Federal statue, and most state laws. While it may be implied that you have authorization to view the resulting information of searches, it is not implied that you are authorized to modify or delete system information.
According to the statute cited, all you have to do is "obtian information." It doesn't matter if the information is benign, sensitive or damaged. It might make a difference in sentencing, but not in determination of guilt (assuming jurisdiction is met).
Mike -----Original Message----- From: Deus, Attonbitus [mailto:Thor () HammerofGod com] Sent: Wednesday, July 17, 2002 12:48 PM To: Pen-Test Subject: SQL Injection Legalities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hesitate asking the group about law, but here goes: Lets say a site gives you the capability to search their product-base via a web input box. You know, the standard search/submit deal. You type in "bicycle" and it gives you everything that starts with "bicycle." Simple enough. As we all know, web app susceptibility to SQL injects runs amok; lets say in this case that instead of typing "bicycle," I type "bicycle' or 1=1--" and get all the products. Have I broken the law? More specifically, have I broken the law in the US? One could argue that the site is allowing me to specify what I want to see, and all I am doing is typing in what I want... Though the developer may not have intended for me to pull up the data like that, does my doing so constitute a crime? I'm not looking for ethical or moral debate here, I am hoping someone has some distinct legal experience who knows. Thanks. AD
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Legalities Deus, Attonbitus (Jul 17)
- Re: SQL Injection Legalities Quickfinger (Jul 18)
- <Possible follow-ups>
- RE: SQL Injection Legalities darrell (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Michael Deyo (Jul 18)
- RE: SQL Injection Legalities Joe (Jul 18)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)
- RE: SQL Injection Legalities Deus, Attonbitus (Jul 22)
- RE: SQL Injection Legalities Daniel Polombo (Jul 30)
- RE: SQL Injection Legalities Weaver, Woody (Jul 22)