|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Classification
Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.
Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical Select criteria for classification "Attack Method":
Abuse of Functionality, Administration Error, Brute Force, Buffer Overflow, Content Spoofing, Credential/Session Prediction, Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS), Denial of Service, Directory Indexing, Drive by Pharming, Failure to Restrict URL Access, Format String Attack, HTTP Response Splitting, Improper Error Handling, Insecure Direct Object Reference, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerability, LDAP Injection, Misconfiguration, OS Commanding, Other, Path Traversal, Predictable Resource Location, Redirection, Session Fixation, Session Hijacking, SQL Injection, SSI Injection, Unintentional Information Disclosure, Unknown, Weak Password Recovery Validation, XPath Injection
List of incidents for which Attack Method is SQL Injection
34 incidents listed
Reported: 10 February 2008Occurred: 01 August 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Sports
It is already February, and we still add 2007 incidents. If
you wonder why, it is because organizations such as MLS only now find
out that they were hacked last year! Sometime between January and
August of 2007, names, addresses, credit and debit card data, and
passwords of an unknown number of people, including 169 New Hampshire
residents were stolen from the site.
Why New Hampshire? Because the company has to report to the
authorities there about the incidents, but only specify the number of
individuals from this state affected. Why only New Hampshire? Since
regulations and bills requiring disclosures exist in many states, one
would expect that the company would have to provide such a testimonial
in many states. This incident is another good example of the size of
the hidden part of the iceberg.
References:
Reported: 28 January 2008Occurred: 06 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Planting of Malware
- Outcome: Defacement
- Vertical: Government
You dfon
References:
Reported: 22 January 2008Occurred: 20 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Attack Method: Denial of Service
- Attack Method: SQL Injection
- Country: Global
- Country: USA
- Outcome: Defacement
- Outcome: Downtime
- Outcome: Defacement
- Vertical: Entertainment
The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.
References:
Reported: 22 January 2008Occurred: 20 January 2008
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Attack Method: Denial of Service
- Attack Method: SQL Injection
- Country: Global
- Country: USA
- Outcome: Defacement
- Outcome: Downtime
- Outcome: Defacement
- Vertical: Entertainment
The web site of RIAA, the Recording Industry Association of America was attacked twice using SQL injection over the weekend. First a query that takes particularly long time was posted on a social network web site causing a distributed denial of service attack against the site. Later on hackers found and abused additional SQL injection and XSS vulnerabilities resulting in major defacement of the site.
References:
Reported: 19 January 2008Occurred: 19 January 2008
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Disclosure Only
- Vertical: Retail
An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good". The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.
References:
- Online Retailer Settles Charges That It Left Consumer Data Open To Hackers
News Story, Information Week, 18 January 2008
- FTC Wags Finger At Site For Weak Consumer Data Security
News Story, Storefront Backtack, 18 January 2008
- n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046
Case File, Federal Trade Commission, 17 January 2008
Reported: 08 January 2008Occurred: 28 December 2007
Classifications:
- Attack Method: SQL Injection
- Origin: China
- Outcome: Planting of Malware
An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code. As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users. A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.
References:
- 70,000 Web Pages Hacked By Database Attack
News Story, Information Week, 08 January 2008
- Realplayer Vulnerability
Alert, SANS Internet Storm Center, 04 January 2008
- Massive embedded exploit web site attack underway
Alert, Heise, 08 January 2008
- SQL Injection Attack Infects Thousands of Websites
Technical Analysis, Ryan Barnett, 08 January 2008
- Mass exploits with SQL Injection
Technical Analysis, SANS, 09 January 2008
Reported: 01 January 2008Occurred: 09 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Brazil
- Country: USA
- Origin: Russia
- Outcome: Planting of Malware
- Vertical: Government
RBN was a big story. It was a hackers group that could work relatively freely in Russia due to rumors connections in high windows. This way it could allow safe hosting for malware. For getting people to the malware they penetrated web sites around the world, and the references article mentioned SQL injection as the method they infiltrated more high profile sites such as US government sites.
References:
Reported: 01 January 2008Occurred: 06 November 2007
Classifications:
- Attack Method: SQL Injection
- Country: Turkey
- Outcome: Planting of Malware
- Vertical: Media
Another Malware defacement, but this time at a very prominent web site: MSNBC Turkish edition. There are indications that this is an application layer attack.
References:
Reported: 20 December 2007Occurred: 20 December 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Origin: Indonesia
- Outcome: Defacement
- Vertical: Security & Law Enforcement
Just like WHID 2007-60, this hack is probably a representative of many other incidents. The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified.
As many you know, the news section is one of the few database driven parts in many mostly static sites, as it allows the site owner to add news without requiring a web designer. Therefore it came as no surprise that the attack was identified by a public source as an SQL injection attack.
References:
Reported: 19 December 2007Occurred: 27 October 2007
Classifications:
- Attack Method: Known Vulnerability
- Attack Method: Insufficient Authentication
- Attack Method: SQL Injection
- Country: UK
- Outcome: Downtime
- Software: WordPress
- Vertical: Education
This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.
I am sure that the guys at Light Blue Touchpaper have the
expertise to protect their WordPress installation, but they
don’t have the time. They made the compromise between ease of
management of their web site and its security. Actually my personal blog might be
just as vulnerable, since as I write this I am very much not paying
attention to its security.
Apart from, or actually because of the fact that the
victims are security experts, this story is noteworthy due to two
additional twists in the plot:
- Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
- The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.
References:
Reported: 04 November 2007Occurred: 30 September 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Retail
The web servers of Scarborough & Tweed, a company that does business online selling corporate gifts online, were compromised and information about 570 customers may have been accessed using an SQL injection attack. The information includes customers' names, addresses, telephone numbers, account numbers, and credit card numbers.
References:
Reported: 12 October 2007Occurred: 10 October 2007
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Outcome: Leakage of Information
- Vertical: Finance
3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn.
References:
Reported: 30 August 2007Occurred: 07 August 2007
Classifications:
- Attack Method: SQL Injection
- Attack Method: OS Commanding
- Vertical: Technology
This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process.
What can we learn from this? That no server is secure, and that patching is hard.
References:
Reported: 13 August 2007Occurred: 12 August 2007
Classifications:
- Attack Method: SQL Injection
- Country: United Nations
- Outcome: Defacement
- Vertical: Government
Defacements are usually beyond the scope of the Web Hacking Incidents Database. We only publish those that stand out, and this one certainly stands out.
The site of the United Nations was broken into and defaced using a pretty basic SQL injection technique, and the referenced article has all the details
References:
Reported: 01 July 2007Occurred: 27 June 2007
Classifications:
- Attack Method: SQL Injection
- Country: UK
- Outcome: Defacement
- Vertical: Technology
Yet another defacement, but with a very high profile target, and a detailed description of the attack which took advantage of an SQL injection vulnerability. The report even includes a video recording of the attack.
References:
Reported: 17 May 2007Occurred: 15 January 2007
Classifications:
- Attack Method: SQL Injection
- Country: Belgium
- Origin: Turkey
- Outcome: Defacement
- Vertical: Security & Law Enforcement
The site of the Belgian Defense Ministry was defaced by Turks who protested a pro-Kurdish remarks by the Belgian government.
References:
Reported: 14 May 2007Occurred: 10 May 2007
Classifications:
- Attack Method: SQL Injection
- Country: Sweden
- Outcome: Leakage of Information
- Vertical: Internet
Private Bay is a BitTorrent information exchange blog site. Hackers used an SQL Injection vulnerability in the web site to steal 1.6 million users and passwords of the site. At least the passwords where hashed, which means that the hacker would need a cracking software and only the lame passwords will be found.
This incident highlights the Web authentication problem. Just think how many of those users use the same username and password in many other sites.
References:
Reported: 06 May 2007Occurred: 03 May 2005
Classifications:
- Attack Method: SQL Injection
- Country: USA
- Origin: Saudi Arabia
- Outcome: Defacement
- Vertical: Technology
This incredible story from our friends at Zone-H shed light on one of those defacement attacks, which usually go unexplained. This time an infamous Saudi-Arabian hacker abused SQL injection vulnerability in Internet Explorer Administration Kit web site. And guess what type of SQL injection: A login form SQL injection!
References:
Reported: 18 April 2007Occurred: 01 November 2005
Classifications:
- Attack Method: SQL Injection
3,800 customer credit-card numbers were stolen in the attack on Guidance Software web site. This incident is made more severe since Guidance software is a provider of software for investigating security breaches and many of its clients are security and law enforcement agencies, some of them known to be affected.
As usual in such cases the actual way in which the information was stolen was not disclosed. A federal trade commission report on the incident, published only in 2007, revealed that the incident was a result on an SQL injection attack on Guidance servers. In a settlement with the FTC, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years.
References:
Reported: 02 April 2007Occurred: 02 March 2007
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Country: Germany
- Outcome: Disclosure Only
- Vertical: Retail
While vulnerabilities in public web sites are dime a dozen this days and rarely included in WHID, a classic SQL injection in the login form on the home page of the web site of a very big company is worth an entry. In my presentation I usually claim that such vulnerabilities have disappeared years ago and then go on to show advanced SQL injection techniques. It seems that they exit.
References:
Reported: 20 April 2006Occurred: 29 March 2006
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
www.incredibleindia.org is official Indian government tourism website.
The researcher has found that the parameter PageID in the page ms_Page.asp is vulnerable to SQL injection. He further tested that SQL error messages enable standard probing methods for finding out the number of columns and their type work.
References:
Reported: 20 April 2006Occurred: 01 September 2004
Classifications:
- Attack Method: SQL Injection
This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.
But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.
Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.
This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.
References:
- Cleaning up after a hack job: CardSystems' Christensen
News Story, Information Security (mirror), 14 April 2006
- FTC complain In the Matter of CardSystems Solutions
Legal Document, FTC,
- Midrange CardSystems Wiki
Wiki, Midrange,
- CardSystems was a Web Application Hack
Mailing List Post, Cesar Cerrudo, Argeniss, 18 April 2006
- CardSystems Exposes 40 Million Identities
Blog Entry, Bruce Schneier, 23 June 2005
Reported: 12 April 2006Occurred: 01 January 2006
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
A CIO of a bank in Singapore reports that many application layer vulnerabilities, including SQL injection, where discovered in a banking application they purchased before it was put into production.
References:
Reported: 05 March 2006Occurred: 02 March 2006
Classifications:
- Attack Method: SQL Injection
A mass defacement of a Philippine hosting service was carried our using SQL injection. It accidentally also defaced the site of the National Union of Journalists of the Philippines, which led some to believe that it was a targeted political attack.
References:
Reported: 26 February 2006Occurred: 13 January 2006
Classifications:
- Attack Method: SQL Injection
Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies. The hackers claimed to have stolen 53,000 credit card numbers, while the hosting service provider claims the number was just 4113.
The technical reference site is in Russian, you can use Applied Languages Solutions for an online translations.
References:
Reported: 26 February 2006Occurred: 01 November 2005
Classifications:
- Attack Method: SQL Injection
A high school student used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customer's information.
References:
Reported: 04 August 2005Occurred: 02 February 2004
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: 11 July 2005Occurred: 07 July 2005
Classifications:
- Attack Method: SQL Injection
The hacker who penetrated Kakaku.com was arrested after breaking into Club Tourism International Inc. Hacking was done in order to earn money to pay for tuition.
References:
Reported: Occurred: 30 June 2004
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: Occurred: 05 December 2003
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: Occurred: 18 June 2003
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
References:
Reported: Occurred: 05 July 2005
Classifications:
- Attack Method: SQL Injection
- Attack Method: OS Commanding
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.
References:
Reported: Occurred: 31 December 2003
Classifications:
- Attack Method: SQL Injection
- Attack Method: Cross Site Scripting (XSS)
References:
Reported: Occurred: 18 May 2005
Classifications:
- Attack Method: SQL Injection
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
