|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Insufficient Authentication
16 incidents listed
Reported: 19 December 2007Occurred: 27 October 2007
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Insufficient Authentication
- Attack Method: SQL Injection
- Country: UK
- Outcome: Downtime
- Software: WordPress
- Vertical: Education
This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.
I am sure that the guys at Light Blue Touchpaper have the
expertise to protect their WordPress installation, but they
don’t have the time. They made the compromise between ease of
management of their web site and its security. Actually my personal blog might be
just as vulnerable, since as I write this I am very much not paying
attention to its security.
Apart from, or actually because of the fact that the
victims are security experts, this story is noteworthy due to two
additional twists in the plot:
- Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
- The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
References:
Reported: 25 October 2007Occurred: 01 November 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
We somehow missed this story so it finds its way to WHID only now in late 2007.
References:
Reported: 10 October 2007Occurred: 06 October 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Loss of Sales
- Vertical: Retail
A hacker exploited a leftover admin function on eBay to block users and close sales.
References:
Reported: 30 July 2007Occurred: 25 July 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Leakage of Information
- Vertical: Health
In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.
References:
Reported: 17 June 2007Occurred: 13 June 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: Jamaica
- Country: USA
- Outcome: Deceit
- Vertical: Government
If you live in a country from which you need a Visa to get to the states, you knew this would happen. The US online Visa appointment system is very open. Indeed too open. Someone in Jamaica took advantage of this to pre-allocate appointments.
While this might be classified as a business process design flaw, isn't security also about this?
References:
Reported: 05 April 2007Occurred: 09 February 2007
Classifications:
- Attack Method: Insufficient Authentication
- Country: USA
- Outcome: Defacement
- Vertical: Education
Two girls modified a schools home page by adding a note that school was closed due to a snow storm. The attack was probably done using a rouge admin accounts.
References:
Reported: 10 April 2006Occurred: 31 March 2006
Classifications:
- Attack Method: Insufficient Authentication
A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy. The service redirected users to a different server and propagated the user information in a hidden field without re-authenticating.
References:
Reported: 28 February 2006Occurred: 24 December 2005
Classifications:
- Attack Method: Credential/Session Prediction
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
Janus mutual fund uses predictable identifier to authenticate its share holders enabling them to vote for others.
References:
Reported: 10 November 2005Occurred: 21 October 2005
Classifications:
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
The software has a default password for teachers, enabling anyone to access the system with teachers privileges.
References:
Reported: 22 August 2005Occurred: 12 August 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
A web site flaw could have allowed a user to view another subscriber's balance of remaining airtime minutes and the number of minutes that customer had used in the current billing cycle
References:
Reported: 22 August 2005Occurred: 18 August 2005
Classifications:
- Attack Method: Insufficient Authentication
References:
Reported: 31 July 2005Occurred: 30 July 2005
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Credential/Session Prediction
- Outcome: Disclosure Only
While not strictly web security, this discussion of hotel rooms TV application security is a very good example of the dangers of our networked society
References:
Reported: 11 July 2005Occurred: 22 February 2005
Classifications:
- Attack Method: OS Commanding
- Attack Method: Weak Password Recovery Validation
- Attack Method: Insufficient Authentication
Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic
References:
Reported: Occurred: 05 May 2005
Classifications:
- Attack Method: Insufficient Authentication
- Outcome: Disclosure Only
Extranet system accessible to the public
References:
Reported: Occurred: 14 June 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A billing information system required only phone number and zip code to pull up account details
References:
Reported: Occurred: 01 February 2005
Classifications:
- Attack Method: Directory Indexing
- Attack Method: Insufficient Authentication
- Outcome: Leakage of Information
Multiple misconfiguration problems such as browsable directories, physical path revealing and default or weak passwords
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
