List of Web Hacking Incidents: Insufficient Authorization

	Attack Method	Outcome
WHID 2009-30: Sage SaaS Withdrawn Due to Security Flaws	Insufficient Authentication Insufficient Authorization	Monetary Loss
WHID 2006-40: Data Mining MySpace Bulletins	Predictable Resource Location Insufficient Authorization	Disclosure Only
WHID 2006-38: Convenience or just bad design?	Insufficient Authorization	Disclosure Only
WHID 2006-2: GSA takes down eOffer after finding security flaw	Predictable Resource Location Insufficient Authorization	Disclosure Only
WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site	Insufficient Authorization	Disclosure Only
WHID 2005-47: SEC Vs. The Estonian Spiders	Insufficient Authorization
WHID 2005-44: Xoops web site hacked	Insufficient Authorization
WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data	Insufficient Authorization OS Commanding SQL Injection	Disclosure Only
WHID 2005-15: Unprotected information on the University of Chicago web site	Insufficient Authorization	Disclosure Only
WHID 2005-10: Indian SATs results leaking	Insufficient Authorization
WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site	Insufficient Authorization Insufficient Authentication	Disclosure Only
WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site	Insufficient Authorization
WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service	Insufficient Authorization	Disclosure Only
WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's	Insufficient Authorization	Disclosure Only
WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega	Insufficient Authorization	Disclosure Only
WHID 2004-2: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - Saks	Insufficient Authorization	Disclosure Only
WHID 2003-7: Victoria's Secret reveals far too much	Insufficient Authorization	Disclosure Only
WHID 2002-2: Advogato XSS virus account	Predictable Resource Location Insufficient Authorization

Attack Method

Outcome

WHID 2009-30: Sage SaaS Withdrawn Due to Security Flaws

Insufficient Authentication

Insufficient Authorization

Monetary Loss

WHID 2006-40: Data Mining MySpace Bulletins

Predictable Resource Location

Insufficient Authorization

Disclosure Only

WHID 2006-38: Convenience or just bad design?

Insufficient Authorization

Disclosure Only

WHID 2006-2: GSA takes down eOffer after finding security flaw

Predictable Resource Location

Insufficient Authorization

Disclosure Only

WHID 2005-48: Insufficient authorization on Papa John's Pizza chain web site

Insufficient Authorization

Disclosure Only

WHID 2005-47: SEC Vs. The Estonian Spiders

Insufficient Authorization

WHID 2005-44: Xoops web site hacked

Insufficient Authorization

WHID 2005-21: Insufficient authentication on USC admissions site allowed access to applicants data

Insufficient Authorization

OS Commanding

SQL Injection

Disclosure Only

WHID 2005-15: Unprotected information on the University of Chicago web site

Insufficient Authorization

Disclosure Only

WHID 2005-10: Indian SATs results leaking

Insufficient Authorization

WHID 2004-9: Billing and personal information leakage due to lack of authentication on a phone company web site

Insufficient Authorization

Insufficient Authentication

Disclosure Only

WHID 2004-8: Broadcast TV announcements changed by hacking the stations web site

Insufficient Authorization

WHID 2004-7: More Scary Tales Involving Big Holes In Web-Site Security - University Sub Service

Insufficient Authorization

Disclosure Only

WHID 2004-4: More Scary Tales Involving Big Holes In Web-Site Security - Kohl's

Insufficient Authorization

Disclosure Only

WHID 2004-3: More Scary Tales Involving Big Holes In Web-Site Security - Iomega

Insufficient Authorization

Disclosure Only

WHID 2004-2: Biggest Web Problem Isn't About Privacy, It's Sloppy Security - Saks

Insufficient Authorization

Disclosure Only

WHID 2003-7: Victoria's Secret reveals far too much

Insufficient Authorization

Disclosure Only

WHID 2002-2: Advogato XSS virus account

Predictable Resource Location

Insufficient Authorization

Latest Stories

WAFs are not perfect, but is any security tool perfect? (Feb 9th 2010)
Forrester estimates the WAF market to be $220M in 2010 (Feb 9th 2010)
ModSecurity exceptions for TYPO3 (Jan 20th 2010)
Presentation about WAFs in the cloud (Jan 15th 2010)
The curse of PCI for WAFs (Jan 11th 2010)
A New Year, a New Acronym (Jan 9th 2010)
A Remote Command Injection Vulnerability Applicure's dotDefender Site Management. (Dec 10th 2009)

Navigation

Subscribe:

Xiom is the place to find information about Web Application Firewalls (WAFs) including reviews, analysis, announcements and research. Tune to the RSS channel to get every bit of information or subscribe to the newsletter to receive only in depth articles.

Xiom also leasd and hosts the Web Hacking Incidents Database, a Web Application Security Consortium project aimed at maintaining a list of web applications related security incidents.

Xiom is a community web site lead by Ofer Shezaf.

WHID

The Web Hacking Incident Database

List of Web Hacking Incidents: Insufficient Authorization

The Web Hacking Incidents Database

WAF Resources

Latest Stories

Navigation