wasc-whid@lists.webappsec.org

WASC Web Hacking Incidents Database

View all threads

WHID 2011-75: Manila Water's website hacked

WW
WASC Web Hacking Incidents Database
Mon, Apr 25, 2011 1:21 PM

*Entry Title: *WHID 2011-75: Manila Water's website hacked
*WHID ID: *2011-75
*Date Occurred: *April 17, 2011
*Attack Method: *SQL Injection
*Application Weakness: *Improper Input Handling
*Outcome: *Defacement
*Attacked Entity Field: *Energy
*Attacked Entity Geography: *Manila, Philippines
*Incident Description: *The website of water concessionaire Manila Water was
hacked early Sunday, with visitors to the site seeing a small window
indicating the breach.
WHID Analysis - looking at the html in the pages, it appears as though sql
injection was the attack vector -

<script type="text/javascript"> function show_alert(){ alert("*hacked! pakifix po yung blind sql po sa server nyo :D*");} </script>

*Mass Attack: *No
*Reference: *
http://www.gmanews.tv/story/218014/nation/manila-waters-website-hacked
Attack Source Geography:

*Entry Title: *WHID 2011-75: Manila Water's website hacked *WHID ID: *2011-75 *Date Occurred: *April 17, 2011 *Attack Method: *SQL Injection *Application Weakness: *Improper Input Handling *Outcome: *Defacement *Attacked Entity Field: *Energy *Attacked Entity Geography: *Manila, Philippines *Incident Description: *The website of water concessionaire Manila Water was hacked early Sunday, with visitors to the site seeing a small window indicating the breach. WHID Analysis - looking at the html in the pages, it appears as though sql injection was the attack vector - <script type="text/javascript"> function show_alert(){ alert("*hacked! pakifix po yung blind sql po sa server nyo :D*");} </script> *Mass Attack: *No *Reference: * http://www.gmanews.tv/story/218014/nation/manila-waters-website-hacked *Attack Source Geography:*