• What incidents are included in the Web Hacking Incidents Database?
• Where there only few dozen web hacks last year?
• Why can't I find a well known incident in the database?
• How reliable are the incidents reported at WHID?
• Breach vs. Disclosure
• The "Unknown" Threat Classification
• How can I contribute to the project?

What incidents are included in the Web Hacking Incidents Database?

The Web Hacking Incident Database only tracks media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database only to targeted attacks, though the distinction between targeted and non-targeted attacks is grey.

The database does not include known vulnerabilities in web based applications, an area well covered by other databases such as CVE, OSVDB or the  Bugtraq vulnerabilities database. Neither does the database include incidents in which web site where breached using operating system or network layer vulnerabilities.

We also consider most web site defacements as non targeted attacks and do not include them in the database. For information about web site defacements refer to zone-h.

As those criteria are somewhat subjective, we welcome comments on the inclusion or exclusion of publicized security breaches.

Where there only few dozen web hacks last year?

The criteria for inclusion in WHID are very strict. The goal is to list only incidents that are related to web application layer vulnerabilities. The goal is to show that application layer security is a risk we cannot ignore anymore.

Keep in mind, that while there are countless website hacks and defacements most are not reported. Even for those reported most of the time it is difficult to tell how exactly they occurred.

Specifically addressing the defacement incidents reported in zone-h, bear in mind that in nearly all of these incidents there is no public information on the way in which they where carried. Additionally, many defacements are not targeted and are the result of a wide scan for vulnerable sites and therefore we do not normally include defacements in WHID.

Why can't I find a well known incident in the database?

The reason is probably that the incident did not occur due to a web application vulnerability, or that we do not know how did it happen. For example probably the most well known information security breach ever, the CardSystems incident was added only in April 2006, nearly a year after it was initially publicized. While we always suspected that it was a web hack and industry rumors hinted that, no public information regarding the way in which the hack was done was available until April 2006. Actually the CardSystems incident was brought in previous versions of this FAQ as an example of an incident that we would like to add to WHID but cannot. For other hacks such information is not available and may not become available in the future. 

How reliable are the incidents reported at WHID?

The data collected is NOT reported directly to WASC but is rather collected from public sources, mostly technical media, mailing list post and researchers advisories. As a result the reliability of the reported information depends on the source. Since the source (or sources) is included with each entry, the reader can assess its reliability independently. We do however assess the source before including an incident in the database and if for whatever reason something we added to the database is found to be erroneous, we remove it, though this has ever happened to date.

For media reported incidents, we're trusting that the reporter or news outlet verified the information. For mailing list reported incidents and research advisories, these issues are normally quickly confirmed our refuted by other subscribers or by the offended vendor. In case of doubt evaluate the level of information provided in the disclosure and the publishing history of the researcher.

Breach vs. Disclosure

The database includes two types of incidents: "breach" or "disclosure". Breaches are incidents in which a web site was compromised, while disclosures are incidents in which a researcher published a vulnerability in a web site. In other words, breaches are incidents in which we know bad guys took advantage of a vulnerability, while disclosures are incidents in which we hope the good guys where first.

The "Unknown" Threat Classification

All incidents are classified according to the Web Application Security Consortium Threat Classification (WASC-TC). This classification sheds light on the nature of the security vulnerability in the web application.

Some of the incidents are classified as "Unknown". You may wonder why where these incidents included in the list, as there is no way to know that the hacker exploited a web application vulnerability. In some cases the public information available indicates that the incident exploited a web application vulnerability, and in others we deducted from the available information.

How can I contribute to the project?

The biggest help you can give is to send us links to public reports of web hacking incidents. We are mostly interested in the less well know stories (so don't forward a Bugtraq posting).

Incidents from around the world are also very interesting, but we need an English public report on them, so you can help by translating a local news story and posting it on a public group such as WASC's Web Security mailing list.

Lastly, as there are many incidents that we do not have technical information about that will enable us to classify them as application layer hacks, we are always searching for additional technical information on known incidents.