|
The Web Hacking Incidents Database
Last update:07 November 2007
List of incidents of class Predictable Resource Location
Other
WASC threat
classifications:
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm
There are 8 incidents of class Predictable Resource Location
Date: 30 May 2007
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location
Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.
References:
Date: 30 June 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location
MySpace bulletins, presumably accessible only to the social network of the originator can be access by anyone by iterating through a message id query parameter.
References:
Date: 13 January 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location
Documents uploaded to GSA site where accessed using a predictable sequential identifier without requiring special permissions. The documents where available both for viewing and modifying. The site was in service for more than 18 months until the vulnerability was discovered.
References:
Date: 01 November 2004
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authentication, Predictable Resource Location
Following a software upgrade, Cahoot, a UK based Internet only bank allowed accessing user accounts by guessing their user names. At least on one page allowed accessing an account by only specifying the user name in the URL. The bug was open for 12 days before being discovered.
The site was taken off line for 10 hours to fix the issue. It is a significant incident, as it is one of those rare occasions where vulnerability was serious enough to force the organization to just take the site off line until it is fixed.
We somehow missed this story so it finds its way to WHID only now in late 2007.
References:
Date: 25 September 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Information Leakage, Predictable Resource Location
User submitted information was being stored in a publicly available location. The URL found in the source code of a publicly available web page.
References:
Date: 21 September 2002
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authorization, Predictable Resource Location
References:
Date: 22 January 2001
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Predictable Resource Location
Sensitive files were left in a publicly accessible directory of a new web server install
References:
Date: 10 September 2000
Incident Type: Security Breach
WASC Threat Classification: Predictable Resource Location
Sensitive files were left in a publicly accessible directory during a maintenance window
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
