|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Misconfiguration
3 incidents listed
Reported: 01 January 2008Occurred: 04 May 2007
Classifications:
- Attack Method: Misconfiguration
- Country: UK
- Outcome: Planting of Malware
- Outcome: Leakage of Information
- Vertical: Service Providers
Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites. This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.
References:
Reported: 29 March 2007Occurred: 27 March 2007
Classifications:
- Attack Method: Misconfiguration
- Country: USA
- Outcome: Defacement
- Vertical: Politics
An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.
References:
Reported: Occurred: 10 September 2000
Classifications:
- Attack Method: Misconfiguration
- Attack Method: Failure to Restrict URL Access
- Country: USA
Sensitive files were left in a publicly accessible directory during a maintenance window
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
