From: Arian J. Evans (arian.evans@anachronic.com)
Date: Thu Oct 05 2006 - 18:02:49 EDT
> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Levenglick, Jeff
> Proof that -He knows that he did.
> Because he is teaching a class on security he should know it
> is illegal
What, exactly, is illegal about it?
I see people keep saying this, but no meat to the comments.
Maybe, perhaps, this is defined by HTML tags in some courts?
<b> is legal but <script> is not? How about hex html encoding?
Or what do you consider XSS testing?
I submit what is legal has nothing to do with these things,
in the US, and to a lesser degree, the UK laws. I do not
know unfortunately enough about EU laws to comment.
Someone said you have to see sensitive data to validate SQL
injection, which is a naïve statement. In certain cases, say
using MS tsql queries, I can tell quite easily if I can inject
SQL by terminating the query using: ;--
Some simply with: '
That is SQL syntax. That is SQL Injection. That does not expose
any sensitive data, and is also, evidently, valid input.
Did I hack? Is it illegal?
Please. The real threat is the injury & impact lawsuit from
a misguided entity with deep pockets, not the criminal courts.
</mindless_speculations>
-ae
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:07 EDT