The Web Hacking Incidents Database

The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. This site hosts the WHID actual incidents database. Further information can be obtained at the WHID home page.

Drill Down

Attack Method

Outcome

Year

Administration Error
ARP spoofing
Bots and Worms
Brute Force
Buffer Overflow
Clickjacking
Content Spoofing
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
Cross Site Scripting (XSS)
Denial of Service
Directory Indexing
DNS Hijacking
Drive by Pharming
Failure to Restrict URL Access
Format String Attack
HTTP Response Splitting
Improper Error Handling
Insecure Direct Object Reference
Insufficient Anti Automation
Insufficient Authentication
Insufficient Authorization
Insufficient Encryption
Insufficient Process Validation
Insufficient Session Expiration
Known Vulnerability
LDAP Injection
Local File Inclusion (LFI)
Misconfiguration
OS Commanding
Other
Path Traversal
Predictable Resource Location
Redirection
Remote File Inclusion
Session Fixation
Session Hijacking
SQL Injection
SSI Injection
Unintentional Information Disclosure
Unknown
Various
Weak Password Recovery Validation
Worm
XPath Injection

Real World Impact:
Chaos
Deceit
Extortion
Identity Theft
Information Warfare
Monetary Loss
- Loss of Sales
Physical Pain
Political Defacement

Intermidiate outcome:
Defacement
Downtime
Leakage of Information
Link Spam
Phishing
Planting of Malware
Spam

Other:
Disclosure Only
Various

1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009

Disclaimers: WHID is based entirely on public information. All the incidents listed here where reported publicly before on other web sites and each incident includes references to those sites. Please also note that unless mentioned otherwise all the vulnerabilities listed have already been fixed.

Latest Stories

WAFs are not perfect, but is any security tool perfect? (Feb 9th 2010)
Forrester estimates the WAF market to be $220M in 2010 (Feb 9th 2010)
ModSecurity exceptions for TYPO3 (Jan 20th 2010)
Presentation about WAFs in the cloud (Jan 15th 2010)
The curse of PCI for WAFs (Jan 11th 2010)
A New Year, a New Acronym (Jan 9th 2010)
A Remote Command Injection Vulnerability Applicure's dotDefender Site Management. (Dec 10th 2009)

Navigation

Subscribe:

Xiom is the place to find information about Web Application Firewalls (WAFs) including reviews, analysis, announcements and research. Tune to the RSS channel to get every bit of information or subscribe to the newsletter to receive only in depth articles.

Xiom also leasd and hosts the Web Hacking Incidents Database, a Web Application Security Consortium project aimed at maintaining a list of web applications related security incidents.

Xiom is a community web site lead by Ofer Shezaf.

WHID

The Web Hacking Incident Database

The Web Hacking Incidents Database

Drill Down

Attack Method

Outcome

Year