[WEB SECURITY] security audit - how to avoid legal prosecution

Achim Hoffmann kirke11 at securenet.de
Wed Jun 8 15:57:39 EDT 2005


On Wed, 8 Jun 2005, Martin O'Neal wrote:

!! Unauthorised access is generally illegal. Expecting an organisation to be
!! anything other than hostile to such an approach would be naïve.

What is "unauthorised access" if not expressed on the website itself?

For example if there is a login page and you use some different usernames,
could this be considered unauthorised access? I doubt.

Other Example: having a web site with a search function and you key in
	x"' onmouseover="alert('heureca');"
is this unauthorised? If so, what is authorised then?

This is all a definition for lawyers and needs to be written on each page,
probably for each input field separately. Think of a password like:
	' or 1=1 '--
Am I a terrorist 'cause of using such passwords ;-)

Please teach the programers to validate *any* data instead of criminalising
user with laws.

Sorry for being  off-topic, somehow ..
-- Achim


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list