[WEB SECURITY] collecting real world web hacking url's

Jeremiah Grossman jeremiah at whitehatsec.com
Tue May 24 12:40:16 EDT 2005


On Tuesday, May 24, 2005, at 09:24  AM, Jay D. Dyson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 24 May 2005, Jeremiah Grossman wrote:
>
>> In the recent past we've read about some high-profile security 
>> incidents where web application security played a role.
> <snip>
>> I'm going to compile a list of news stories, articles, papers, etc 
>> specific to real world web application security incidents.
>
> 	I wish you good luck and godspeed, but consider well that your 
> undertaking may be difficult for a few glaring reasons:
>
> 	1.	Admins are typically ordered not to release details (and
> 		few do since it would expose their incompetence).
>
> 	2.	Law Enforcement Officers typically don't grok technical
> 		issues of this caliber (there are a few merciful
> 		exceptions to this rule), and they are not disposed to
> 		discussing details of an open investigation.
>
> 	3.	Articles based on the bragging of the intruder are suspect
> 		since the intruder will rarely tell the full truth.
> 		Either they'll pump up their vector of intrusion to preen
> 		over their l337 t3kn1k4l sk1llz, or they'll leave out key
> 		information for fear of being seen as a scriptkiddy.
>
> 	Sadly, discussions of high-profile security incidents are much like 
> discussions of wealth and sex: those who have the most talk the 
> least...and vice-versa.


Your right on the money there. Thats also why when webappsec related 
incidents are written about, even while lacking in technical detail, 
its valuable to grab them anyway.  In the end if I'm only able to get 
simple reference points, its better than nothing.

This also tells us something else important....

The limited availability of mainstream news shows how lacking the 
webappsec industry is in hard data. We have only a small clue as to who 
is attack who, how often, or what techniques are actually being used. 
We have our individual educated guesses sure, but thats really about 
it. zone-h [1] gave us some recent numbers, but its nowhere near not 
enough.  I'd like to see more. Anyway, hopefully we'll be able to bring 
more context to the challenges.

[1] http://www.theregister.co.uk/2005/04/27/zone-h_defacement_survey/


Jeremiah-


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list