|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Abuse of Functionality
5 incidents listed
Reported: 20 November 2007Occurred: 01 March 2005
Classifications:
- Attack Method: Abuse of Functionality
- Country: USA
- Outcome: Monetary Loss
A woman exploited a bug in QVC shopping network web site to get, without paying, more than 1800 items worth $412,000 items from the March to November 2005. The glitch enabled her to cancel orders she placed at a specific time and still get the product.
References:
Reported: 24 July 2006Occurred: 16 June 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Abuse of Functionality
A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.
References:
Reported: 28 February 2006Occurred: 05 December 2005
Classifications:
- Attack Method: Abuse of Functionality
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.
References:
Reported: 04 September 2005Occurred: 29 August 2005
Classifications:
- Attack Method: Abuse of Functionality
A player of an online game discovered that considerable delay hinted on the cards the dealer holds.
References:
Reported: Occurred: 06 September 2000
Classifications:
- Attack Method: Abuse of Functionality
- Country: USA
- Outcome: Leakage of Information
E-mail addresses of other customers displayed by mistake, no hacking was required
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
