Contributors
Jeremiah Grossman
(WhiteHat Security)

Ofer Shezaf
(Breach Security ) [Project Leader]

The Web Hacking Incidents Database
Last update:07 November 2007

List of incidents of class Defacement

Other WASC threat classifications:
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm

There are 1 incidents of class Defacement
WHID 2006-13: Hackers Tap Banks' Web Sites In Unique Phishing Attack
Date: 17 March 2006
Incident Type: Security Breach
WASC Threat Classification: Defacement

In this very interesting attack a hacker broke into the informational web sites of several smaller banks in Florida. He than changed the link on the informational pages that points to the outsourced transactional web site to point to his own phishing site. While the vulnerability that enabled the hacker to penetrate the informational sites is not known, this is a very interesting example of a targeted web attack. It highlights the importance of protecting every web site and not just the core business logic.

References:



This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
© Copyright 2005, Web Application Security Consortium. All rights reserved.