The incidents reported on WHID (the web hacking incidents database) last week where: * WHID 2009-3: Google Trends Falls Victim to a Stunt (http://whid.xiom.com/whid-2009-3) A very good example of why insufficient anti-automation is becoming a major threat to web applications. * WHID 2009-4: Twitter Personal Info CSRF (http://whid.xiom.com/whid-2009-4) If you thought Web 2.0 was dangerous, but didn't know just how (or what Web 2.0 is...), this incident is your answer. * WHID 2009-5: School data hacked, grades altered (http://whid.xiom.com/whid-2009-5) Every student's dream comes true. * WHID 2009-6: InfoGov switch hosting due to lack of security (http://whid.xiom.com/whid-2009-6) * WHID 2009-7: China's Yeepay.com Suffers Internet Payment Hacker Attack (http://whid.xiom.com/whid-2009-7_Chinas_Yeepay_Suffers_Internet_Payment_Hac ker_Attack) An interesting 2008 incident added recently is WHID 2008-53: "SQL by Design" leaks Thousands of SSNs at an Oklahoma Gov site (http://whid.xiom.com/whid-2009-53_Oklahoma_Leaks_Tens_of_Thousands_of_Socia l_Security_Numbers). This one demonstrates a too common variant of SQL injection, which I labeled "SQL by design". ~ Ofer Ofer Shezaf shezaf@xxxxxxxx, +972-54-4431119 Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com Chairman, OWASP Israel Leader, WASC Web Hacking Incidents Database Project
