OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sverre H. Huseby (shhthathost.com)
Date: Fri Jun 28 2002 - 07:32:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I received more than 30 links in response to my query for real-life
    attacks on web applications. After filtering accoring to my rules (1:
    attack on the web application, not the infrastructure (including web
    server software), and 2: real crime, not just a demonstration that
    attacks are possible), only two links remain! Too bad.

    David Endler gave me the following:

      http://www.usatoday.com/life/cyber/tech/2001-08-31-hotmail-security-side.htm

      Not the main topic of the article, but it mentiones this:

      "Last week, a hacker used cross-site scripting to wipe out desktop
       icons of Web users visiting Price Loto, a Japanese auction site,
       prompting the site to temporarily shut down while a patch was
       devised, says Japan's Information Technology Promotion Agency."

    Some person that didn't tell me if s/he wanted his/her name here, gave
    me:

      http://www.computeruser.com/news/02/05/31/news8.html

      On bugs in code to "mail tip to a friend about this article".
      Again, the following is not the main topic, but it is mentioned:

      "A prankster exploited the flaw at CNN.com in Oct. 2001 to spread a
       hoax about the death of pop singer Britney Spears. By creating a
       mock-up of a CNN.com Web page at an external site and using a quirk
       in how Web browsers handle special addresses, the prankster
       apparently fooled thousands of people into thinking Spears had died
       in a car accident."

    The majority of the "rejected" links point to news articles that
    describe exploitable holes, but no indication that someone actually
    used the holes for purposes other than demonstration/publicity.

    Some of the articles describe actual crimes (typically theft of
    personal information), but they don't give enough info to make it
    possible to classify the attacks as being on the web application
    itself.

    Thanks to all who sent me information. Sorry that so little got
    included in the summary, but most of what I got was, as I said, not
    quite what I asked for.

    (Please do not send me more, as I will not make another summary.)

    Sverre. 

    -- 
shhthathost.com			Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/		http://nerdquiz.thathost.com/