10

I've been put in charge of educating developers on web application security. One way I will be doing this is through an explanation of various web attacks (e.g., OWASP top ten).

In addition to an explanation of the attack and possible mitigations, I would like to give a real life example describing what sort of damage the attack can cause with details on how the attack occurred.

The best example I've found of this is the Apache.org attack, but I doubt others would be as detailed. Otherwise, the best I can find are news articles stating the a site was attacked, but without mentioning what the attack was.

Are there any resources keeping track of the details of attacks like this?

Jay Lindquist
  • 203
  • 2
  • 6
  • 3
    http://xkcd.com/327/ – Vishwanath Dalvi Nov 13 '11 at 11:29
  • You may want to check out certifiedsecure.com. They have a bunch of practice scenarios you can run through yourself, and while these are tailored for the learning experience, they are based on vulnerabilities found in the wild. – tdammers Nov 13 '11 at 14:00

4 Answers4

7

Spend a little time browsing through the archives of a mailing list like Full Disclosure. You'll find real life examples of various kinds of web site attacks, e.g.:

Or browse through the CVE database. Not every entry will have full details, but you can often find a link back to Full Disclosure or some similar site with the details you're looking for. (Or, in the case of open source products, you could take a look at the source to see what was patched.) Just a search on phpmyadmin will give you a rich set of examples which have the benefit of being open source and all coming from the same code base:

It looks like there have been 17 advisories for phpmyadmin so far this year, so it's feasible that your staff could find a couple more if you assign this as a task during your training exercise.

Another category of helpful resources are wargames websites like hACME game and Hack This Site!.

bstpierre
  • 4,968
  • 1
  • 22
  • 34
4

While this doesn't cover everything. I found this video "Hacking: Top 5 Attacks and Defenses" that was presented at an Australian TechEd session in 2010 to be good to increase developer understanding. It has specific examples. It is targeted at Microsoft developers but applies to all.

http://channel9.msdn.com/Events/TechEd/Australia/2010/SEC406

Bernie White
  • 2,846
  • 18
  • 18
3

Google's CSRF attack email filter attack is a good one in explaining CSRF. Maybe check Verizon Business's data breach report?

I don't think you'll find a single source for all the info you're looking for.

Stephen Ostermiller
  • 483
  • 1
  • 5
  • 13
Alex Lauerman
  • 495
  • 5
  • 8
-1

I usually go to www.governmentsecurity.org for these sorts of things. i know they have an archive of viruses, and maybe they have logs of attacks people have made on websites.

Jon Valentine
  • 215
  • 3
  • 6