Disclaimer - I am not an attorney, I have not received formal legal training, and I do not hold any legal credentials. Therefore, I am not qualified to give profession legal advice. All views expressed in this message are based on personal opinion and experience. The Federal computer crime law (18 U.S.C. 1030, Computer Fraud and Abuse Act) makes it illegal for anyone to intentionally access a computer without authorization, or in excess of authorization, and "obtain information from any protected computer if the conduct involved an interstate or foreign communication." All computers connected to the Internet potentially engage in interstate communication by the nature of the way in which the Internet operates, so this statue applies to all Internet hosts. The entire text of the Act can be viewed at http://www.usdoj.gov/criminal/cybercrime/1030_new.html. In your scenario, you were authorized to access the website and enter search terms at your discretion. I would argue that it is the responsibility of the computer system owner to communicate what types of activity are authorized and unauthorized. If there was specific communication that SQL injection constitutes unauthorized activity, and that only valid search terms should be entered, you have violated this Act. If, however, you accessed the site and had a reasonable belief that you held the privilege to enter any and all search terms, it would be difficult to prove intent to gain unauthorized access on your part. In addition, it is the responsibility of the system developer to include security mechanisms to prevent unauthorized access. You did not circumvent a security mechanism in this case. Another issue to examine is the degree of damage caused to the system as a result of the SQL injection. If you simply returned the entire product listing, this is a relatively benign activity. This is assuming that the information returned is not particularly sensitive, such as bank records, credit card numbers, or protected health information. If, however, you used SQL injection to modify information or destroy data, this is a more critical issue. This will certainly violate the Federal statue, and most state laws. While it may be implied that you have authorization to view the resulting information of searches, it is not implied that you are authorized to modify or delete system information. Mike -----Original Message----- From: Deus, Attonbitus [mailto:Thorat_private] Sent: Wednesday, July 17, 2002 12:48 PM To: Pen-Test Subject: SQL Injection Legalities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hesitate asking the group about law, but here goes: Lets say a site gives you the capability to search their product-base via a web input box. You know, the standard search/submit deal. You type in "bicycle" and it gives you everything that starts with "bicycle." Simple enough. As we all know, web app susceptibility to SQL injects runs amok; lets say in this case that instead of typing "bicycle," I type "bicycle' or 1=1--" and get all the products. Have I broken the law? More specifically, have I broken the law in the US? One could argue that the site is allowing me to specify what I want to see, and all I am doing is typing in what I want... Though the developer may not have intended for me to pull up the data like that, does my doing so constitute a crime? I'm not looking for ethical or moral debate here, I am hoping someone has some distinct legal experience who knows. Thanks. AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPTWfwYhsmyD15h5gEQLKuACgioeYyenUFEbI6HXpYbo5AjL920cAoNJv ANJ4aOg8vjqGS5JSZK2V5Hyt =nm/7 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 09:05:25 PDT