|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Insufficient Authorization
17 incidents listed
Reported: 24 July 2006Occurred: 30 June 2006
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.
References:
Reported: 24 July 2006Occurred: 12 July 2006
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.
References:
Reported: 26 February 2006Occurred: 13 January 2006
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.
References:
Reported: 10 November 2005Occurred: 07 November 2005
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 08 November 2005Occurred: 02 November 2005
Classifications:
- Attack Method: Insufficient Authorization
Business wire allowed access to non published press releases.
References:
Reported: 08 November 2005Occurred: 28 October 2005
Classifications:
- Attack Method: Other
- Attack Method: Insufficient Authorization
Configuration mistake left an unprotected unused virtual host. No details on the configuration problems given.
References:
Reported: 08 November 2005Occurred: 10 March 2005
Classifications:
- Attack Method: Insufficient Authorization
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 04 August 2005Occurred: 26 January 2004
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
References:
Reported: 11 July 2005Occurred: 21 September 2002
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
References:
Reported: Occurred: 04 March 2004
Classifications:
- Attack Method: Insufficient Authorization
Previously moderated weather announcements could be changed by the user
References:
Reported: Occurred: 05 July 2005
Classifications:
- Attack Method: SQL Injection
- Attack Method: OS Commanding
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.
References:
Reported: Occurred: 27 May 2005
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
Files containing sensitive information left unprotected on the web server
References:
Reported: Occurred: 14 June 2004
Classifications:
- Attack Method: Insufficient Authentication
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A billing information system required only phone number and zip code to pull up account details
References:
Reported: Occurred: 24 October 2003
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
View other customers orders by changing a sequential number within a URL parameter
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
