ePrivacy and GPDR Cookie Consent by Cookie Consent
question from an older thread about url dorking etc. – Digitalmunition




Home Forums question from an older thread about url dorking etc.

This topic contains 1 reply, has 2 voices, and was last updated by  dantose 1 month, 2 weeks ago.

  • Author
    Posts
  • #290216

    anonymous
    Participant

    in this generally good and [informative thread](https://www.reddit.com/r/hacking/comments/2wp6ta/legality_of_accessing_content_hid_on_a_website/coswy8l?utm_source=share&utm_medium=web2x) from 5 years ago it is claimed that:

    > BUT – if there’s a ‘download’ link which is disabled until after you pay,
    > and you edit it to make it ‘enabled’, that download link is giving you
    > access to a different file. If you access it, you’re breaking the law.

    I dont know if this is true. I’m not a lawyer.

    My objection is that, if a company provided a generic download link like `site.com/download/enabled` to a paying customer, and that link was shared with a third party, how could it be possible to charge the third party with computer acts when they literally visited a publicly website link?

    And in general, are there publicly accessible urls that would be strictly illegal to even access?

    Lastly does all of the above also apply to post/ etc reqeusts and payload hacking? If the website i visit sends down req A to itself, and i modify the request, to say change the query from “foo” to “bar”, is this strictly speaking a computer acts violation?

    are we saying that the “edit and resend” button in dev console is basically a loaded gun?

    I really dont know what the difference is legally between changing “foo” to “bar”, vs “foo” to “INJECTION”. If they are relying on js to escape the string they havent posted yet, are they somehow “legally” protected? can I trollishly honeypot myself and sue people frivously?

    Is this still a debate or these questions been fully settled?

    Thanks to any lawyers who can weigh in

  • #290217

    dantose

    Not a lawyer, but my understanding is that it’s a matter of bypassing known limitations on access.

    Examples:

    You are given access to example.com/authorized.file

    You figure out the structure of how that’s generated and access example.com/unauthorized.file. You’ve knowingly exceeded your authorized access. (illegal)

    Now let’s say instead that you had general access to the site. You know of /page1.htm, page2.htm, page3.htm, etc. all of these you have normal access to. You type in page537.htm and discover that it’s some super secret admin panel you shouldn’t have access to. You’ve done nothing illegal because you were not knowingly exceeding authorized access. (now if you start messing around with that admin panel, knowing that you shouldn’t have access to it, that’s a whole other thing)

You must be logged in to reply to this topic.