Web Application Security Consortium - Web hacking Incidents Database (WHID)

Contributors

Jeremiah Grossman
(WhiteHat Security)

Ofer Shezaf
(Breach Security ) [Project Leader]

The Web Hacking Incidents Database
Last update:07 November 2007

List of incidents of class Insufficient Process Validation

Full List
By Class
By ID

1999
2000
2001
2002
2003
2004
2005
2006
2007

RSS
Statistics
Blog
FAQ
About

WHID

Other WASC threat classifications:
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm

There are 1 incidents of class Insufficient Process Validation

WHID 2007-14: Your Free MacWorld Expo Platinum Pass

Date: 11 January 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Process Validation

A priority code, used to get free platinum pass to MacWorld Expo, was validated on the client and enabled anyone get the pass for free. While "grutz" informed the organizers about it, when going over their log files they found out that others abused the vulnerability without letting anyone know about it.

References:

Macworld crack offers VIP passes, hacker says [CNet]

Your Free MacWorld Expo Platinum Pass (valued at $1,695) [Grutz]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.