|
The Web Hacking Incidents Database
Last update:17 February 2008
List of Incidents for a Year
Select Year: 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
List of incidents for the year 2006
44 incidents listed
Reported: 02 April 2007Occurred: 22 December 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Zone-h is one of the best (well, the best, not just one of them) web sites to follow if you interested in what the bad guys do. Their account of how their own web site was defaced is a classic. And no, it was not their fault. The incident shows how a seemingly minor vulnerability in a major web site (a hotmail XSS bug), can be used to deface another, unrelated site in a very elaborate and targeted attack.
References:
Reported: 30 March 2007Occurred: 27 November 2006
Classifications:
A small credit union web site was hacked and the traffic redirected to a pharming site. About 180 users where redirected, out of which 12 where tricked into providing their personal information to the attackers. $500 are known to have been stolen from one of the victims.
References:
Reported: 30 March 2007Occurred: 17 December 2006
Classifications:
- Attack Method: Content Spoofing
A Korean shopping system was vulnerable to hidden field manipulation and a determined hacker purchased $6000 worth of merchandize at 45 stores for much less.
References:
Reported: 27 July 2006Occurred: 26 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Most XSS vulnerabilities are benign. In many cases they are hardly exploitable. In this case Netscape's new digg like shared news site was hacked using a persistent XSS attack, so every viewer of the site was attacked, luckily only to show funny dialog boxes.
References:
- Netscape.com hacked
Blog Entry, F-Secure, 26 July 2006
- Netscape.com hit with cross-site scripting attack
News Story, Search Security, 26 July 2006
- AOL Fixes Netscape.com XSS Hack
News Story, Beta News, 26 July 2006
- Netscape Hacked, Professor Denies Sexiness Claims
News Story, SecurityPro News, 26 July 2006
- NetScape.com - JavaScript Exploit Embaressment
Blog Entry, Threadwatch.org, 26 July 2006
Reported: 24 July 2006Occurred: 16 June 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure.
References:
Reported: 24 July 2006Occurred: 16 June 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Attack Method: Abuse of Functionality
A bug in MySpace allowed a single click on an incoming bulletin by a person to forward it to all his contacts, making spreading a worm (or any content for that matter) too easy.
References:
Reported: 24 July 2006Occurred: 30 June 2006
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.
References:
Reported: 24 July 2006Occurred: 04 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any Google resource.
References:
Reported: 24 July 2006Occurred: 12 July 2006
Classifications:
- Attack Method: Insufficient Authorization
- Outcome: Disclosure Only
Altiris seems to have designed their servers so that it is easy to both access their customers upload as well as find out their e-mail addresses.
References:
Reported: 24 July 2006Occurred: 16 July 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Worm
MySpace seems to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file. It is also interesting as it seems to combine the popular political defacement trend with high level application layer exploit.
References:
Reported: 09 May 2006Occurred: 05 May 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A researcher found that the login error page on this sites can be injected.
References:
Reported: 09 May 2006Occurred: 28 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Libero.it is a Web portal of big Italian ISP offering dial-up, Broadband and talk services. A script on it's customer service pages which enabled a connection speed test is vulnerable to XSS.
References:
Reported: 09 May 2006Occurred: 04 May 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Alexadex is an online investment game. There is an XSS vulnerability in the group adding functionality.
References:
Reported: 09 May 2006Occurred: 21 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Yahoo mail does not filter properly the CSS "expression" keyword when it includes a comment that is encoded.
References:
Reported: 09 May 2006Occurred: 03 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
This community site allows including scripts in multiple locations including ones personal profile thus enabling XSS.
References:
Reported: 30 April 2006Occurred: 25 April 2006
Classifications:
- Attack Method: OS Commanding
A hacker successfully abuse a vulnerability in Horde to penetrate a site owned by the National Security Agency of the Slovak Republic
References:
Reported: 20 April 2006Occurred: 16 April 2006
Classifications:
Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail accounts. The e-mail client is web based with a browser embedded in the communicator software. Certain webmail servers do not validate e-mail subject for HTML tags, allowing attacker to inject script code.
References:
Reported: 20 April 2006Occurred: 29 March 2006
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
www.incredibleindia.org is official Indian government tourism website.
The researcher has found that the parameter PageID in the page ms_Page.asp is vulnerable to SQL injection. He further tested that SQL error messages enable standard probing methods for finding out the number of columns and their type work.
References:
Reported: 18 April 2006Occurred: 17 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Phishing
An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.
References:
Reported: 12 April 2006Occurred: 10 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
ICQ.com search script (search_result.php) is vulnerable to cross-site scripting attacks. This problem is due to a failure
in the application to properly sanitize user input, the input can be passed to the vulnerable script in 2 variables
(gender and home_country_code).
References:
Reported: 12 April 2006Occurred: 01 January 2006
Classifications:
- Attack Method: SQL Injection
- Outcome: Disclosure Only
A CIO of a bank in Singapore reports that many application layer vulnerabilities, including SQL injection, where discovered in a banking application they purchased before it was put into production.
References:
Reported: 12 April 2006Occurred: 12 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Everyone.net login script (loginuser.pl) is prone to a cross site scripting attack in the variable loginName.
References:
Reported: 12 April 2006Occurred: 24 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Sourceforge download pages are vulnerable to XSS
References:
Reported: 12 April 2006Occurred: 20 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
The $a variable in Hotmail's inbox is vulnerable to cross site scripting vulnerability. Exploit requires the victim to open the email message.
References:
Reported: 10 April 2006Occurred: 09 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Sourceforge forums search is vulnerable to XSS
References:
Reported: 10 April 2006Occurred: 04 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Yet another Google XSS. This time it seems to hit Arabic variant of the main search site. It seems that the actual language selector parameter enables the attack.
References:
Reported: 10 April 2006Occurred: 05 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Forget putting <script> tags in input field. This high tech vulnerability exploits the code handling online/offline flags by inserting a malicious online/offline flag. Awesome.
References:
Reported: 10 April 2006Occurred: 05 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Israblog is a large Israeli blogging site. A hacker used XSS to hijack bloggers sessions and deface them. The defacing was used to inform the world that Israblog lead developer is a bad programmer.
References:
Reported: 10 April 2006Occurred: 31 March 2006
Classifications:
- Attack Method: Insufficient Authentication
A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy. The service redirected users to a different server and propagated the user information in a hidden field without re-authenticating.
References:
Reported: 04 April 2006Occurred: 20 March 2006
Classifications:
- Attack Method: Weak Password Recovery Validation
- Outcome: Disclosure Only
A UK Security Consulting firm reports that 54 UK sites that it has surveyed have flaws in the "forgotten password" feature.
References:
Reported: 04 April 2006Occurred: 04 April 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
eBay contains a cross-site scripting vulnerability. When an eBay user posts an auction, eBay allows SCRIPT tags to be included in the auction description which creates a cross-site scripting vulnerability in the eBay website
References:
Reported: 04 April 2006Occurred: 17 March 2006
Classifications:
In this very interesting attack a hacker broke into the informational web sites of several smaller banks in Florida. He than changed the link on the informational pages that points to the outsourced transactional web site to point to his own phishing site.
While the vulnerability that enabled the hacker to penetrate the informational sites is not known, this is a very interesting example of a targeted web attack. It highlights the importance of protecting every web site and not just the core business logic.
References:
Reported: 29 March 2006Occurred: 28 January 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Hotmail's filtering engine insufficiently filters JavaScript scripts. It is possible to write JavaScript in the BGCOLOR attribute of the BODY tag, using CSS. This leads to execution when the email is viewed. JavaScript must be Unicode encoded in order to fool the filter. This encoding is recognized with IE >= 6
References:
Reported: 22 March 2006Occurred: 13 February 2006
Classifications:
A site of a minor league baseball team was hacked and personal details of fans was stolen.
References:
Reported: 22 March 2006Occurred: 16 March 2006
Classifications:
A musical instrument and sound gear Web site that advertises its relationship with artists such as Dave Matthews, Carlos Santana and Mary J. Blige was breached and notified some customers that their credit card information may have been stolen.
References:
Reported: 05 March 2006Occurred: 22 February 2006
Classifications:
- Attack Method: Redirection
- Outcome: Disclosure Only
Google reader allows redirection so sites can fool users to subscribe to malicious content.
References:
Reported: 05 March 2006Occurred: 02 March 2006
Classifications:
- Attack Method: SQL Injection
A mass defacement of a Philippine hosting service was carried our using SQL injection. It accidentally also defaced the site of the National Union of Journalists of the Philippines, which led some to believe that it was a targeted political attack.
References:
Reported: 05 March 2006Occurred: 02 March 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
A 14 years old claims to have discovered an XSS flaw in Google's Gmail. Comments have been mixed, and Google did not comment, so either the flaw was fixed pretty fast, or did not exits.
References:
Reported: 05 March 2006Occurred: 25 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
- Outcome: Disclosure Only
Links sent to a user as part of the mail content are not properly sanitized, so a user receiving such mail and activating a link would be affected.
References:
Reported: 03 March 2006Occurred: 28 February 2006
Classifications:
- Attack Method: Cross Site Scripting (XSS)
Unlike other XSS cases, this was discovered due to actual abuse on a specific auction at EBay.
References:
- Ebay XSS
Mailing List Post, Full Disclosure, 28 February 2006
Reported: 26 February 2006Occurred: 17 January 2006
Classifications:
- Attack Method: Insufficient Anti-automation
A hoster was broken into by brute forcing passwords in a management interface. Sites of many clients, including three municipalities where defaced.
References:
Reported: 26 February 2006Occurred: 13 January 2006
Classifications:
- Attack Method: Insufficient Authorization
- Attack Method: Predictable Resource Location
- Outcome: Disclosure Only
Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.
References:
Reported: 26 February 2006Occurred: 02 January 2006
Classifications:
- Attack Method: HTTP Response Splitting
- Outcome: Disclosure Only
References:
Reported: 26 February 2006Occurred: 13 January 2006
Classifications:
- Attack Method: SQL Injection
Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies. The hackers claimed to have stolen 53,000 credit card numbers, while the hosting service provider claims the number was just 4113.
The technical reference site is in Russian, you can use Applied Languages Solutions for an online translations.
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
