The Web Hacking Incidents Database

Updated:

8 February 2009

The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents.WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents.

"Thanks so much for the WHID, having a public repository such as this makes it easier for security practitioners to justify what they do for their colleagues. You make my job easier, thanks!"

-Erik Cabetas, Security Officer for a large E-Commerce website.

The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. Refer to the FAQ for further information on what you will find and what you will not find in WHID.If you have additional information on those or other web hacking incidents, you are more than welcome to share this information with us.

Drill Down

Attack Method

Outcome

Year

Administration Error
ARP spoofing
Bots and Worms
Brute Force
Buffer Overflow
Clickjacking
Content Spoofing
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
Cross Site Scripting (XSS)
Denial of Service
Directory Indexing
DNS Hijacking
Drive by Pharming
Failure to Restrict URL Access
Format String Attack
HTTP Response Splitting
Improper Error Handling
Insecure Direct Object Reference
Insufficient Anti Automation
Insufficient Authentication
Insufficient Authorization
Insufficient Encryption
Insufficient Process Validation
Insufficient Session Expiration
Known Vulnerability
LDAP Injection
Local File Inclusion (LFI)
Misconfiguration
OS Commanding
Other
Path Traversal
Predictable Resource Location
Redirection
Remote File Inclusion
Session Fixation
Session Hijacking
SQL Injection
SSI Injection
Unintentional Information Disclosure
Unknown
Various
Weak Password Recovery Validation
Worm
XPath Injection

Real World Impact:
Chaos
Deceit
Extortion
Identity Theft
Information Warfare
Monetary Loss
- Loss of Sales
Physical Pain
Political Defacement

Intermidiate outcome:
Defacement
Downtime
Leakage of Information
Link Spam
Phishing
Planting of Malware
Spam

Other:
Disclosure Only
Various

1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009

Disclaimers: WHID is based entirely on public information. All the incidents listed here where reported publicly before on other web sites and each incident includes references to those sites. Please also note that unless mentioned otherwise all the vulnerabilities listed have already been fixed.

Recent Web Hacks


WHID 2009-42: Puerto Rico sites redirected in a DNS attack
WHID 2009-45: Outcome: Death
WHID 2009-43: Web Mail Company to Pay Prize After CEO Hacked
WHID 2009-41: Malware in Advertizing at Digital Spy
WHID 2009-40: SQL injection Hits Sensitive US Army servers

Popular Web Hacks


WHID 2009-18: phpBB web site hacked using LFI
WHID 2009-1: Gaza conflict cyber war
WHID 2009-29: FBI & Secret Service warn of a sophisticated HSM attack
WHID 2009-4: Twitter Personal Info CSRF
WHID 2009-3: Google Trends Falls Victim to a Stunt

Hacking Alerts

Subscribe to the Web Hacking newsletter

The Web Hacking Incidents Database

The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents.

The project is maintained by Ofer Shezaf (Project Leader), Jeremiah Grossman & Robert Auger.You can also contribute!

Xiom.com

Xiom is the premier web site focusing on Web Application Firewalls (WAFs). On Xiom.com you can find:

Xiom also sponsor and actively contributes to several important industry initiatives, including:

The Web Hacking Incident Database, hosted on this site.
The OWASP Israeli chapter, which Ofer Shezaf, Xiom founder, leads.

Legal & Security / Site Map