Project Overview

The Web Hacking Incident Database, or WHID for short, is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID's goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. WHID has been featured in Information Week and slash dot.

"Thanks so much for the WHID, having a public repository such as this makes it easier for security practitioners to justify what they do for their colleagues. You make my job easier, thanks!" -Erik Cabetas, Security Officer for a large E-Commerce website.

The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only. Please refer to the FAQ for further information on what you will find and what you will not find in WHID.

If you have additional information on those or other web hacking incidents, you are more than welcome to share this information with us (rcbarnett gmail.com).

Project Leader

Ryan C. Barnett is a Senior Security Researcher on Trustwave's SpiderLabs Research Team where his focus is web application firewall technology and virtual patching. In addition to working with Trustwave, he is also a SANS Institute certified instructor where he teaches web application security courses and serves on the CWE/SANS Top 25 Worst Programming Errors Team. Ryan is also a Web Application Security Consortium (WASC) Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Open Proxy Honeypots Projects. He also serves as the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett is a frequent speaker at security industry conferences such as Blackhat, OWASP and SANS and has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache

If you would like to be involved with the project, please contact the project leader - Ryan Barnett (rbarnett trustwave.com).

Project Contributors

Jason Coleman

Ofer Shezaf (Former Project Leader)

Ofer Shezaf (Former Project Leader) Jeremiah Grossman

Robert Auger

Project Sponsors

Project reports are provided by Trustwave's SpiderLabs.



Keep Track of the Latest WHID Entries

WHID Mail-list

http://lists.webappsec.org/mailman/listinfo/wasc-whid_lists.webappsec.org

Twitter Feed

@wascwhid

Loading http://twitter.com/statuses/user_timeline/127584231.rss…

Submit an Incident

If you have identified a possible WHID candidate, please use of the following methods to notify the WHID project team:

Send an email to - wascwhid gmail.com Send a tweet to @wascwhid Enter a link here in the submittal form

Loading...

Real-Time Statistics

These visualizations show Attacks, Weaknesses and Outcomes for all Vertical Markets for all years (1999-2011). If you want to see custom visualizations, go to the Google Fusion Table WHID project site page and follow these steps:

Click on "Show Options" Click on the "Filter" link Select "WHID ID" and "starts with" and then "2010" and "Apply" to see all data for 2010 Click on Aggregate and then select the item you wish to see (example Attack Methods) and then "Apply" Then click on "Visualize" and "Pie" to see your custom view

You can do similar steps to correlate multiple data points such as Vertical Markets.

Top Attack Methods (All Entries)

Top Application Weaknesses (All Entries)

Top Impacts/Outcomes (All Entries)

Search the WHID Database

The WHID data is currently hosted online using Google's Fusion Tables. To search the data, click on "Show Options" and then the "Aggregate" link. You should see a screen similar to this -

Management View

Use the Aggregate filtering to select the "Outcome" of interest to you and your business and then review which Attack Methods and Application Weaknesses lead to this Outcome.

Security Analyst View

Use the Aggregate filtering to select the "Attack Method" of interest to you and your business (perhaps you know that your sites are vulnerable to SQL Injection) and then review the underlying Application Weakness and potential Outcomes. This data will help to facilitate discussions with both Management and Developers.

Developer View

Use the Aggregate filtering to select the "Application Weakness" of interest to you and your business and then review the various Attack Methods that may exploit the weakness and the different potential Outcomes.

Geographic WHID View

Frequenty Asked Questions

Reports

Presentations

The Web Hacking Incident Database Update for 2009 by Ryan Barnett at the OWASP AppSec DC Conf 2009

The Web Hacking Incidents Database -- Ryan Barnett from OWASP DC on Vimeo.

Analysis of the Web Hacking Incident Database (WHID) 2008 by Ofer Shezaf at the OWASP AppSec NYC Conf 2008

Disclaimers

WHID is based entirely on public information. All the incidents listed here where reported publicly before on other web sites and each incident includes references to those sites. Please also note that unless mentioned otherwise all the vulnerabilities listed have already been fixed.