Page 1 of 1

How legal is SQL Injection / XSS? (not authorized)

PostPosted: Mon Oct 08, 2012 9:09 am
by Legu
Topic name says everything.

Re: How legal is SQL Injection / XSS? (not authorized)

PostPosted: Mon Oct 08, 2012 12:09 pm
by KEN
Illegal, even if you make no changes at all.
Think like this, if you point a gun at someone but dont take their valuables (watch , money etc.) , it will still be illegal and charges can be placed on you.
sql injection is considered an attack as far as I know.If they have enough time to backtrack you then yeah you can be in trouble but well maybe I'm watching too many movies :)

Re: How legal is SQL Injection / XSS? (not authorized)

PostPosted: Mon Oct 08, 2012 6:50 pm
by Sethioz
Ken is correct, however in reality noone really gives a shit.
there is always possibility to get into serious trouble, but its very small chance that it happens.
i have never heard of anyone who have been charged.

its extremely hard to even prove that something like that happend, since only very few websites record everything that is going on and that alone is NOT the evidence. ISPs do not record what you do in internet, they just have records of IP address activity.

if you planning on attacking someone with SQL injection or XSS (why you do XSS / SQL ? its not same thing), then you shouldn't worry about getting into trouble, that is ofcourse if you're not going to attack some government sites.
if you are paranoid, just use TOR proxy network.
ive done this for years and it have never got further than some brat running their mouth and in those cases they even knew i did it and they couldn't do shit.

Re: How legal is SQL Injection / XSS? (not authorized)

PostPosted: Mon Oct 08, 2012 7:07 pm
by Legu
I wrote sql / xss, cuz i believe these 2 are the most common methods.

Anyhow when you dont change anything in the database (select /union), and dont publish it or use it in anway to make "money", i think it is defintely different when u shut the website down(delete) and they start investigating what really happens. Another question that might interest me regardin this topic: how much "traffic" (requests) does a succesful sql injection in the best case generate? (Impossible to answer i know, but how much is at least needed? like u can tell that 10000ips are enough for wep and so on)

Re: How legal is SQL Injection / XSS? (not authorized)

PostPosted: Tue Oct 09, 2012 2:39 am
by Sethioz
you are so wrong, there is a company called ZDI (google it), they buy dangerous exploits that can seriously harm some software and then they contact the developers and offer them help for huge amount of money, if they refuse, they will give 1 week for developers and then they publish the vulnerability on their site.

it is so called "legal blackmailing". by law its ok to do so, but if you think of it, its nothing but blackmailing. pay or have your vulnerability posted out in public.
i really don't care if such things are legal or not, i do what i need to do or exploit just for fun.