OWASP WASC Web Hacking Incidents Database Project

What incidents are included in the Web Hacking Incidents Database?

The Web Hacking Incident Database only tracks media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database only to targeted attacks, though the distinction between targeted and non-targeted attacks is grey. The database does not include known vulnerabilities in web based applications, an area well covered by other databases such as CVE, OSVDB or the Bugtraq vulnerabilities database. Neither does the database include incidents in which web site were breached using operating system or network layer vulnerabilities. We also consider most web site defacements as non targeted attacks and do not include them in the database. For information about web site defacements refer to zone-h.

As those criteria are somewhat subjective, we welcome comments on the inclusion or exclusion of publicized security breaches.

Were there only few dozen web hacks last year?

The criteria for inclusion in WHID are very strict. The goal is to list only incidents that are related to web application layer vulnerabilities/attacks. The goal is to show that application layer security is a risk we cannot ignore anymore.

Keep in mind, that while there are countless website hacks and defacements most are not reported. Even for those reported most of the time it is difficult to tell how exactly they occurred.

Specifically addressing the defacement incidents reported in zone-h, bear in mind that in nearly all of these incidents there is no public information on the way in which they were carried. Additionally, many defacements are not targeted and are the result of a wide scan for vulnerable sites and therefore we do not normally include defacements in WHID.

Why can't I find a well known incident in the database?

The reason is probably that the incident did not occur due to a web application vulnerability, or that we do not know how did it happen. For example probably the most well known information security breach ever, the CardSystems incident was added only in April 2006, nearly a year after it was initially publicized. While we always suspected that it was a web hack and industry rumors hinted that, no public information regarding the way in which the hack was done was available until April 2006. Actually the CardSystems incident was brought in previous versions of this FAQ as an example of an incident that we would like to add to WHID but cannot. For other hacks such information is not available and may not become available in the future.

How reliable are the incidents reported at WHID?

The data collected is NOT reported directly to WASC but is rather collected from public sources, mostly technical media, mailing list post and researchers advisories. As a result the reliability of the reported information depends on the source. Since the source (or sources) is included with each entry, the reader can assess its reliability independently. We do however assess the source before including an incident in the database and if for whatever reason something we added to the database is found to be erroneous, we remove it, though this has ever happened to date.

For media reported incidents, we're trusting that the reporter or news outlet verified the information. For mailing list reported incidents and research advisories, these issues are normally quickly confirmed our refuted by other subscribers or by the offended vendor. In case of doubt evaluate the level of information provided in the disclosure and the publishing history of the researcher.

Breach vs. Disclosure

The database includes two types of incidents: "breach" or "disclosure". Breaches are incidents in which a web site was compromised, while disclosures are incidents in which a researcher published a vulnerability in a web site. In other words, breaches are incidents in which we know bad guys took advantage of a vulnerability, while disclosures are incidents in which we hope the good guys were first.

The "Unknown" Threat Classification

All incidents are classified according to the Web Application Security Consortium Threat Classification (WASC-TC). This classification sheds light on the nature of the security vulnerability in the web application.

Some of the incidents are classified as "Unknown". You may wonder why were these incidents included in the list, as there is no way to know that the hacker exploited a web application vulnerability. In some cases the public information available indicates that the incident exploited a web application vulnerability, and in others we deducted from the available information.

How can I contribute?

The Web Hacking Incidents Database (WHID) is a community effort. The information is provided under the open source Creative Common License, which in very simple words says that anyone can use the information for whatever need as long as the source is mentioned.

You can help make WHID better. You don't need to invest a lot of time:

• If you encounter a new Web incident, please use one of the following methods to notify the WHID project team:
  • Send an email to - owaspwhid_at_owasp.org
  • Send a tweet to @owaspwhid
  • Enter a link in the WHID Submittal Form
• As we natively speak English we miss alot in non English speaking countries so we are especially looking for non English sources. As long as they can be translated using Google translate of a similar service, we can include it.
• If you want to contribute more, become a WHID editor. Send an e-mail to the project leader with a few words (and preferably a link) about yourself and sign up to this site. We will activate your account and enable you to edit incidents. We need you to:
  • Classify incidents a backlog of incidents from 2nd half of 2013.
  • You can help by Proofing/editing the descriptions and classifications.

Volunteers

The WHID project is only as good as it's entries. The primary contributors to date have been:

• Ofer Shezaf
• Jason Coleman
• Jeremiah Grossman
• Robert Auger

Others

• xxx
• xxx

• We are always looking for new methods of identifying real-world web compromise data sources. If you have any ideas, please contact us.
• We are also looking for new ways to store and analyze the data. Currently we utilize Google's FusionTables to store our raw data. If you have recommendations for improvements, please let us know.

Involvement in the development and promotion of WHID is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

• If you have identified a possible WHID candidate, please use of the following methods to notify the WHID project team:

1. Send an email to - owaspwhid_at_owasp.org
2. Send a tweet to @owaspwhid
3. Enter a link in the WHID Submittal Form

• If you would like to have WRITE access so you can add entries directly to WHID in Google FusionTables, contact the project team and we will add your Gmail account.