The Web Hacking Incident Database

The web hacking incidents database provides a tool for assessing the risk in insecure web applications. Such risk analysis is important in order to make sure that resources are spent wisely when fixing or protecting web applications. The attached presentation discusses risk analysis for security of web applications, and addresses the role WHID can have in such an analysis.

The outline of the presentation is:

One of the issues haunting WHID since its inception two years ago is inclusion criteria: which incidents get in? WHID goal is not to provide an alternative to Zone-h defaced sites archive or ScanSafe's Threat Alert which tracks malware planted on web sites.

XSS has dominated the Web Hacking Incidents Database statistics page since its inception. The immediate conclusion it that XSS is the most dangerous of them all. Is that so? or is it just a common research error?

The entry in the Web Hacking Incidents Database FAQ describing which incidents are included in the database and which are not seems simple, but hides a lot of complexities.While it might seem obvious what a web hack is, nothing is further from the truth. Is a hack only a real break-in or any vulnerability discovered in a live web site? We recently changed the criteria for inclusion in WHID. The reason was simple: to make the database more useful.

Until today, the CardSystems incident, probably the most well known information security breach ever, was mentioned in WHID only in the FAQ. It was mentioned as an example of an incident that we would like to add to WHID but cannot because there is no public information about how the hack was done.Today, nearly a year after it was initially publicized, it was added to this database.

While we always suspected that it was a web hack and industry rumors hinted that, no public information regarding the way in which the hack was done was available until now.

If you took a look at the statistics page, you probably saw that in 2005 the number of reported incidents grew rapidly. This is probably at least partially because we started collecting information in 2005. But I believe that there is an additional reason: many more people are concerned with web application security and are inspecting online services searching for vulnerabilities.