• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Web-Hacking-Incident-Database-FAQ

Page history last edited by Ryan Barnett 14 years ago

 

What incidents are included in the Web Hacking Incidents Database?

The Web Hacking Incident Database only tracks media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database only to targeted attacks, though the distinction between targeted and non-targeted attacks is grey.

The database does not include known vulnerabilities in web based applications, an area well covered by other databases such as CVE, OSVDB or the  Bugtraq vulnerabilities database. Neither does the database include incidents in which web site were breached using operating system or network layer vulnerabilities.

We also consider most web site defacements as non targeted attacks and do not include them in the database. For information about web site defacements refer to zone-h.

As those criteria are somewhat subjective, we welcome comments on the inclusion or exclusion of publicized security breaches.

 

Were there only few dozen web hacks last year?

The criteria for inclusion in WHID are very strict. The goal is to list only incidents that are related to web application layer vulnerabilities. The goal is to show that application layer security is a risk we cannot ignore anymore.

Keep in mind, that while there are countless website hacks and defacements most are not reported. Even for those reported most of the time it is difficult to tell how exactly they occurred.

Specifically addressing the defacement incidents reported in zone-h, bear in mind that in nearly all of these incidents there is no public information on the way in which they were carried. Additionally, many defacements are not targeted and are the result of a wide scan for vulnerable sites and therefore we do not normally include defacements in WHID.

 

Why can't I find a well known incident in the database?

The reason is probably that the incident did not occur due to a web application vulnerability, or that we do not know how did it happen. For example probably the most well known information security breach ever, the CardSystems incident was added only in April 2006, nearly a year after it was initially publicized. While we always suspected that it was a web hack and industry rumors hinted that, no public information regarding the way in which the hack was done was available until April 2006. Actually the CardSystems incident was brought in previous versions of this FAQ as an example of an incident that we would like to add to WHID but cannot. For other hacks such information is not available and may not become available in the future.

 

How reliable are the incidents reported at WHID?

The data collected is NOT reported directly to WASC but is rather collected from public sources, mostly technical media, mailing list post and researchers advisories. As a result the reliability of the reported information depends on the source. Since the source (or sources) is included with each entry, the reader can assess its reliability independently. We do however assess the source before including an incident in the database and if for whatever reason something we added to the database is found to be erroneous, we remove it, though this has ever happened to date.

For media reported incidents, we're trusting that the reporter or news outlet verified the information. For mailing list reported incidents and research advisories, these issues are normally quickly confirmed our refuted by other subscribers or by the offended vendor. In case of doubt evaluate the level of information provided in the disclosure and the publishing history of the researcher.

 

Breach vs. Disclosure

The database includes two types of incidents: "breach" or "disclosure". Breaches are incidents in which a web site was compromised, while disclosures are incidents in which a researcher published a vulnerability in a web site. In other words, breaches are incidents in which we know bad guys took advantage of a vulnerability, while disclosures are incidents in which we hope the good guys were first.

 

The "Unknown" Threat Classification

All incidents are classified according to the Web Application Security Consortium Threat Classification (WASC-TC). This classification sheds light on the nature of the security vulnerability in the web application.

Some of the incidents are classified as "Unknown". You may wonder why were these incidents included in the list, as there is no way to know that the hacker exploited a web application vulnerability. In some cases the public information available indicates that the incident exploited a web application vulnerability, and in others we deducted from the available information.

 

How can I contribute?

The Web Hacking Incidents Database (WHID) is a community effort and is part of the Web Application Security Consortium, a not for profit industry organization focusing on educating regarding the web application security problem.

The information is proided under the open source Creative Common License, which in very simple words says that anyone can use the information for whatever need as long as the source is mentioned.

You can help make WHID better. You don't need to invest a lot of time:

  • If you encounter a new Web incident, use the submittal form on the main project page. All we need is a link to a site describing the incident.
  • As we speak English we miss alot in non English speaking countries so we are especially looking for non English sources. As long as they can be translated using Google translate of a similar service, we can include it.
  • If you want to contribute more, become a WHID editor. Send an e-mail to the project leader with a few words (and preferably a link) about yourself and sign up to this site. We will activate your account and enable you to edit incidents. We need you to:
    • Classify incidents prior to 2007. We added classifications such as attack method, outcome, country and industry just in 2007.
    • You can help by Proofing/editing the descriptions.
  •  

Comments (0)

You don't have permission to comment on this page.