Press "Enter" to skip to content

HTML: Company name prohibited due to security vulnerability

A British company had to change its name because it could inject code into web pages.

Source code of a website
(Picture: Pexels/Pixabay)

The British authority Companies House, which is responsible for the local commercial register, has forced a company to change its name, as it may pose a security risk. The company name was made up of HTML code, which was structured like a classic cross-site scripting attack (XSS) and could allow Javascript code to be executed in the context of a website – including the website of the British authority.

He did not choose the company name to attack Companies House’s website, but rather thought it was “a funny, playful name” for his consulting firm, the company’s founder told the British newspaper Guardian. However, one can hardly imagine that with the original company name:

“><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD

If the HTML code, nothing else is the company name, is not properly validated and output in an HTML element in a web page, a script from the URL in the company name is executed in the context of the web page. The Guardian writes that the stored script has only issued a harmless warning. However, it could also have been used for attacks at a later time.

Now the company was renamed to “That Company whose Name used to contain HTML Script Tags LTD”. It is not the first time that a company name contains code, so the company name “; DROP TABLE “COMPANIES”;– LTD” should delete contents of the database using an SQL command. However, according to the Guardian, the companies were not forced to change their names. On the website of the authority, Companies House, instead of the name, the Guardian simply states “name of company available on request”.

Read the original article here.