|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Credential/Session Prediction
20 incidents listed
Reported: 01 January 2008Occurred: 29 January 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Brazil
- Outcome: Disclosure Only
- Vertical: Finance
IDG now reports a bug in the internet banking application of Unibanco, a Brazilian Bank. The vulnerability allowed logged users to view transaction receipts of other unrelated users by changing the "receipt ID" on the form or URL.
Reported by Alexandre Sieira
References:
Reported: 22 December 2007Occurred: 22 December 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: USA
- Outcome: Monetary Loss
- Outcome: Leakage of Information
- Outcome: Identity Theft
- Vertical: Security & Law Enforcement
The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim.
The sensitive information was stolen by manipulating predictable identifier parameters. The stolen information belong to at least 270 people and includes the name, address, age and other information could be used to obtain credit cards and open bank accounts.
References:
Reported: 19 December 2007Occurred: 01 December 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Canada
- Outcome: Disclosure Only
- Vertical: Government
The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI.
References:
Reported: 26 April 2007Occurred: 23 April 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: Australia
- Outcome: Leakage of Information
- Vertical: Media
The site of "Big Brother", a reality show in Australia issued duplicate session IDs to different users since the session ID pool was exhausted. Naturally, the 2nd person to get the same session ID got to see all the details of the 1st one!
References:
Reported: 02 April 2007Occurred: 11 January 2007
Classifications:
- Attack Method: Credential/Session Prediction
- Country: USA
- Outcome: Loss of Sales
- Vertical: Technology
A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.
References:
Reported: 12 April 2006Occurred: 18 October 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
A bug in Gmail's authentication and session management allows direct login to anybodies account without requiring any involvement of the victim.
References:
Reported: 28 February 2006Occurred: 24 December 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.
References:
Reported: 22 August 2005Occurred: 12 August 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle
References:
Reported: 04 August 2005Occurred: 26 January 2004
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 06 September 2001
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: 31 July 2005Occurred: 30 July 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society
References:
Reported: Occurred: 27 June 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
References:
Reported: Occurred: 23 February 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
Parameter tampering enabled jumping into someone else's account data on PayMaxx Inc. site
References:
Reported: Occurred: 09 July 2002
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
Opening an account with a discontinued e-mail address exposes all the information of the discontinues account
References:
Reported: Occurred: 18 June 2001
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
View other orders by changing a sequential parameter number. Security was provided by client side JavaScript
References:
Reported: Occurred: 13 September 2000
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Leakage of Information
View other customers orders by changing a sequential number within a URL parameter
References:
Reported: Occurred: 02 March 2005
Classifications:
- Attack Method: Credential/Session Prediction
Parameter tampering to jump into someone else's account data
References:
Reported: Occurred: 05 December 2002
Classifications:
- Attack Method: Credential/Session Prediction
View other customers orders by changing a guessable number within a URL parameter
References:
Reported: Occurred: 13 February 2003
Classifications:
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
View other customers information by modifying a cookie
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
