[Supermancho]

Thats a third party. Youre mixing responsibility and ascribing it to an innocent party. That was the obvious point, with an incidental mention of another (random input) case where innocence is a reasonable deduction. Therefore, it is not necessary for an sql injection attack to be connected with the intent of the actor. Period.

From US caselaw, theres a little history about the not chasing after infected botnet hosts as bad actors.

[wvenable]

If you commit wire fraud through an innocent intermediary, you're still guilty of wire fraud. If you give someone a link that's an attack and they unknowingly run it, then you're the one at fault not the person clicking the link.

I think it's pretty straight forward.

[Supermancho]

> an SQL injection could also be "just a query parameter" and the server would haply reply with a 200. (true)

> With a sql injection, you have to willfully provide an input with the hope that it results in injection (false)

> If I send you a link that happens to include arguments that happen to be a SQL injection (or my cat steps on my keyboard in just the right way), there was no intent. (true)

> Your intent by crafting such a link was clear. (irrelevant)

You can have SQL injection without intent, as I have adequately explained.

This redirection to an "original actor" is a bad faith argument toward finding if there is someone culpable. The poster I responded to, made a bad general assertion and I stand by it. GL with whatever.

[chrsig]

You're kind of just describing why it's hard to prosecute based on intent though.

For the purposes of distinguishing between if something is an exploit or not, it doesn't seem too relevant