|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is Redirection
2 incidents listed
Reported: 07 November 2007Occurred: 02 November 2007
Classifications:
- Attack Method: Redirection
- Country: Global
- Outcome: Phishing
- Vertical: Internet
While most WHID entries are about web
site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them
to include a honest looking URL in their e-mail, this way bypassing
spam filters and observant users.
Symantec response team found actively
used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to
the first result of a search. All the spammer is left with is finding a
query for which his site would pop up first on Google.
This method has another advantage over a redirection page,
as the final target is specified by a search string and not by a URL,
bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.
References:
Reported: 05 March 2006Occurred: 22 February 2006
Classifications:
- Attack Method: Redirection
- Outcome: Disclosure Only
Google reader allows redirection so sites can fool users to subscribe to malicious content.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
