Update: Directly from Daniel Cuthbert himself.
Your posting needs to be updated to reflect current UK, and possibly future European, laws.
Testing ANY website without authorisation is illegal in the uk. Under the Computer Misuse Act of 1990, it states "It is an offense to make a computer perform a function and for that function to be deemed unauthorised by the owner of that computer". Simply put, by doing a simple GET on the site could be deemed illegal if the owner didnt want you to do that. Testing for XSS is a punishable offense and people will, and have, been charged with this in the UK.
Wow. This is a seriously broad definition, dangerously so. Thanks for the Daniel. I wonder how often this law is actually being used to prosecute. Coicidentially I there was another post on the legality of penetration testing today on SF pen-test, this time from Germany.
"in Germany we are about to implement the cybercrime treaty in local law with the number § 202 c. This change will make the possession, trafficking, making available and producing of tools with the *intention* for hacking and snooping traffic an offense punishable with up to a year in prison."
This might actually be helping the bad guys more than the good guys and also has implications for companies who run businesses making these tools (Even the big guys). Then I went and looked up the U.S. Computer Fraud and Abuse Act (via) wikipedia. According to the 6 items listed that are against the law, they all seems to have the qualifier of "intent to defraud". This wording seems saner to me.
RSnake’s message board sla.ckers.org has been on fire with cross-site scripting vulnerability disclosures. There has been intense media coverage from Dark Reading, InfoWorld, TechWorld, syndication to Dr. Dobb’s, and even a Slashdot’ing for good measure. We all know XSS is a huge problem, a problem likely to get worse, but one issue that hasn’t been raised is legality. On what side of the law do you land when disclosing proof-of-concept (PoC) that a website is vulnerable to XSS? This is particularly important in light of the recent hacking conviction stories of Eric McCarty (SQL Injection) and Daniel Cuthbert (Directory Traversal). I’m no lawyer, but here’s my take.