|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Cross Site Scripting (XSS)
60 incidents listed
Reported: 17 February 2008Occurred: 23 November 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Global
- Outcome: Defacement
- Vertical: Technology
The standard disclaimer that we do not cover each and every defacement is relevant to this entry as well. So why do we include the defacement incident this time? First and foremost, it is known to be an XSS abusing a WordPress zero day bug. Secondly, it is a targeted attack aiming to deface only Mac related web sites. Usually targeted defacement attacks are carried out against political targets. Did attacking apple become a political issue? Was Apple transformed into a nation overnight? Well certainly into a cult.
References:
Reported: 22 January 2008Occurred: 20 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Attack Method: Denial of Service
- Attack Method: SQL Injection
- Country: Global
- Country: USA
- Outcome: Defacement
- Outcome: Downtime
- Outcome: Defacement
- Vertical: Entertainment
The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.
References:
Reported: 09 January 2008Occurred: 08 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Italy
- Outcome: Phishing
- Vertical: Finance
It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.
References:
Reported: 19 December 2007Occurred: 19 December 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Worm
- Vertical: Internet
A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users.
References:
Reported: 07 November 2007Occurred: 23 September 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Disclosure Only
- Vertical: Retail
A small XSS vulnerably caught RSnake eyes. What makes it different, after all xssed.com lists thousands and thousands of those? What caught RSnames eyes was the vulnerable site. TJMaxx earned the reputation as the company that suffered the biggest security breach ever. You would expect them to be more careful.
References:
Reported: 10 October 2007Occurred: 09 October 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Australia
- Outcome: Defacement
- Vertical: Politics
Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!"
References:
Reported: 02 September 2007Occurred: 29 August 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: New Zealand
- Country: New Zealand
- Outcome: Defacement
- Vertical: Media
Still defacement but this time with a twist. This was a genuine XSS rewriting attack, and was carried out by well known people as a stunt. No information is provided on how the XSS vector found its way to the victim computers.
References:
Reported: 01 July 2007Occurred: 17 May 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Germany
- Outcome: Disclosure Only
- Vertical: Finance
I seldom add disclosures anymore to WHID, even less XSS disclosures, but since this time they were discovered in banking sites, I thought it was worth it. After all, too many times people think that application vulnerabilities are found only at less "serious" or less "important" web sites where no real damage can occur.
References:
Reported: 02 April 2007Occurred: 22 December 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Zone-h is one of the best (well, the best, not just one of them) web sites to follow if you interested in what the bad guys do. Their account of how their own web site was defaced is a classic. And no, it was not their fault. The incident shows how a seemingly minor vulnerability in a major web site (a hotmail XSS bug), can be used to deface another, unrelated site in a very elaborate and targeted attack.
References:
Reported: 02 April 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Country: Germany
- Outcome: Disclosure Only
- Vertical: Retail
While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.
References:
Reported: 30 March 2007Occurred: 29 January 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: Canada
- Outcome: Defacement
- Vertical: Technology
Nokia's Canadian Web Site was defaced using an XSS attack.
References:
Reported: 27 July 2006Occurred: 26 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Most XSS vulnerabilities are benign. In many cases they are hardly exploitable. In this case Netscape's new digg like shared news site was hacked using a persistent XSS attack, so every viewer of the site was attacked, luckily only to show funny dialog boxes.
References:
- Netscape.com hacked
Blog Entry, F-Secure, 26 July 2006
- Netscape.com hit with cross-site scripting attack
News Story, Search Security, 26 July 2006
- AOL Fixes Netscape.com XSS Hack
News Story, Beta News, 26 July 2006
- Netscape Hacked, Professor Denies Sexiness Claims
News Story, SecurityPro News, 26 July 2006
- NetScape.com - JavaScript Exploit Embaressment
Blog Entry, Threadwatch.org, 26 July 2006
Reported: 24 July 2006Occurred: 16 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Worm
MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.
References:
Reported: 24 July 2006Occurred: 04 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any Google resource.
References:
Reported: 24 July 2006Occurred: 16 June 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.
References:
Reported: 24 July 2006Occurred: 16 June 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Abuse of Functionality
A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.
References:
Reported: 09 May 2006Occurred: 28 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Libero.it is a Web portal of big Italian ISP offering dial-up, Broadband and talk services. A script on it's customer service pages which enabled a connection speed test is vulnerable to XSS.
References:
Reported: 09 May 2006Occurred: 04 May 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Alexadex is an online investment game. There is an XSS vulnerability in the group adding functionality.
References:
Reported: 09 May 2006Occurred: 03 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
This community site allows including scripts in multiple locations including ones personal profile thus enabling XSS.
References:
Reported: 09 May 2006Occurred: 21 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Yahoo mail does not filter properly the CSS "expression" keyword when it includes a comment that is encoded.
References:
Reported: 09 May 2006Occurred: 05 May 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A researcher found that the login error page on this sites can be injected.
References:
Reported: 18 April 2006Occurred: 17 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Phishing
An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.
References:
Reported: 12 April 2006Occurred: 24 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Sourceforge download pages are vulnerable to XSS
References:
Reported: 12 April 2006Occurred: 12 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Everyone.net login script (loginuser.pl) is prone to a cross site scripting attack in the variable loginName.
References:
Reported: 12 April 2006Occurred: 10 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
ICQ.com search script (search_result.php) is vulnerable to cross-site scripting attacks. This problem is due to a failure
in the application to properly sanitize user input, the input can be passed to the vulnerable script in 2 variables
(gender and home_country_code).
References:
Reported: 12 April 2006Occurred: 20 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
The $a variable in Hotmail's inbox is vulnerable to cross site scripting vulnerability. Exploit requires the victim to open the email message.
References:
Reported: 10 April 2006Occurred: 04 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Yet another Google XSS. This time it seems to hit Arabic variant of the main search site. It seems that the actual language selector parameter enables the attack.
References:
Reported: 10 April 2006Occurred: 09 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Sourceforge forums search is vulnerable to XSS
References:
Reported: 10 April 2006Occurred: 05 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Forget putting <script> tags in input field. This high tech vulnerability exploits the code handling online/offline flags by inserting a malicious online/offline flag. Awesome.
References:
Reported: 10 April 2006Occurred: 05 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Israblog is a large Israeli blogging site. A hacker used XSS to hijack bloggers sessions and deface them. The defacing was used to inform the world that Israblog lead developer is a bad programmer.
References:
Reported: 04 April 2006Occurred: 19 April 1999
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Disclosure Only
A very early XSS issue at eBay. Interesting historically as it seems that at the time the term XSS was not yet in use.
References:
Reported: 04 April 2006Occurred: 04 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
eBay contains a cross-site scripting vulnerability. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description which creates a cross-site scripting vulnerability in the eBay website
References:
Reported: 29 March 2006Occurred: 28 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Hotmail's filtering engine insufficiently filters JavaScript scripts. It is possible to write JavaScript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. JavaScript must be Unicode encoded in order to fool the filter. This encoding is recognized with IE >= 6
References:
Reported: 05 March 2006Occurred: 25 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Links sent to a user as part of the mail content are not properly sanitized, so a user receiving such mail and activating a link would be affected.
References:
Reported: 05 March 2006Occurred: 02 March 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A 14 years old claims to have discovered an XSS flaw in Google's Gmail. Comments have been mixed, and Google did not comment, so either the flaw was fixed pretty fast, or did not exits.
References:
Reported: 03 March 2006Occurred: 28 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Unlike other XSS cases, this was discovered due to actual abuse on a specific auction at EBay.
References:
- Ebay XSS
Mailing List Post, Full Disclosure, 28 February 2006
Reported: 28 February 2006Occurred: 21 November 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
XSS in Google Base search function
References:
Reported: 28 February 2006Occurred: 23 November 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Inserting code in an HTML attachments enables changing the user interface of Yahoo mail, which may enable fraud.
References:
Reported: 28 February 2006Occurred: 18 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A malicious site can offer users a malformed RSS XML file to be included Yahoo RSS aggregation that would enable stealing Yahoo cookies
References:
Reported: 28 February 2006Occurred: 05 December 2005
Classifications:
- Attack Method: Abuse of Functionality
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS when receiving notification of an incoming IM message. Additionally it is possible to send an IM message to somebody who has blocked such messages by pretending to be answering a message from him.
References:
Reported: 28 February 2006Occurred: 21 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A redirection to an error page on Google.com includes values sent by the the user. This vulnerability allows phishers to send an e-mail with links to Google that will include their attack page.
References:
- XSS vulnerabilities in Google.com
Advisory, Watchfire, 21 December 2005
- Google Cross-Site Scripting Flaw Fixed
News Story, Beta News, 21 December 2005
- Google plugs 'obscure' phishing holes
News Story, CNet, 21 December 2005
- Google XSS Example
Blog Entry, Chris Shiflett, 21 December 2005
- Google's XSS Vulnerability
Blog Entry, Chris Shiflett, 21 December 2005
Reported: 28 February 2006Occurred: 22 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An attacker can send an e-mail with a malicious script to a victim which is perform its actions immediately when the e-mail is read.
References:
Reported: 26 February 2006Occurred: 14 December 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Netcraft discovered an XSS vulnerability in NIST web site, which ironically hosts the U.S. National Vulnerability Database.
References:
Reported: 10 November 2005Occurred: 21 October 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
XSS in Yahoo mail, Allows phishing
References:
Reported: 10 November 2005Occurred: 10 October 2005
Classifications:
- Attack Method: Other
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: 08 November 2005Occurred: 25 May 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: 08 November 2005Occurred: 10 April 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Worm
The Samy worm at my space is now a classic, both a sophisticated attack and a well documented one, it became a case study in the web application security field. Recently Robert Hansen (RSnake) wrote a very interesting blog entry about Samy and what happened to him since.
References:
- My Lunch With Samy
Blog Entry, ha.ckers, 10 March 2007
- MySpace XSS worm writer notes
Hacker Notes, bindshell, 10 April 2005
- MySpace XSS worm source
Technical Description, bindshell, 10 April 2005
- MySpace XSS virus development
Technical Description, bindshell, 10 April 2005
- Cross-Site Scripting Worm Hits MySpace
News Story, Beta News, 10 April 2005
Reported: 08 November 2005Occurred: 06 December 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Content Spoofing
Phishing based on XSS (Same vulnerability but a different attack that the similar September 2004 attack)
References:
Reported: 11 July 2005Occurred: 14 January 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in Froogle
References:
Reported: 11 July 2005Occurred: 27 December 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in Lycos Web Mail
References:
Reported: 11 July 2005Occurred: 27 October 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS was found in G-Mail
References:
Reported: Occurred: 05 November 2001
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
Reported: Occurred: 03 August 2001
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Persistent XSS HTML Injection inside an HTML email message to hotmail
References:
Reported: Occurred: 21 August 2001
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Users who visited the Price Lotto site using Microsoft's IE (Internet Explorer) 4.x and 5.x, automatically downloaded malicious JavaScript that was programmed to alter the software configuration of their PCs.
References:
Reported: Occurred: 30 June 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: Occurred: 16 February 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An Israeli public debates site called Hyde Park has an XSS vulnerability that exposes session cookies.
References:
Reported: Occurred: 03 March 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Content Spoofing
References:
Reported: Occurred: 28 September 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Country: USA
- Outcome: Phishing
- Vertical: Finance
Phishing based on XSS
References:
Reported: Occurred: 31 December 2003
Classifications:
- Attack Method: SQL Injection
- Attack Method: Cross Site Scripting (XSS)
References:
Reported: Occurred: 04 June 2005
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
References:
- Microsoft fixes Hotmail hack
News Story, VUnet, 09 June 2005
- Hotmail users exposed to cookie snaffling exploit
News Story, The Registrer, 08 June 2005
- MSN Site Flaw Exposes Hotmail Accounts to Prying Eyes
News Story, PC Magazine, 07 June 2005
- MSN flaw put Hotmail accounts at risk
News Story, CNet, 06 June 2005
- Hacking hotmail, by Alex de Vries
Technical Information, Personal Web Page, 04 June 2005
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
