The Web Hacking Incident Database, or WHID for short, is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents.

WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. WHID has been featured in Information Week and slash dot.

The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only. Please refer to the FAQ for further information on what you will find and what you will not find in WHID.

If you have additional information on those or other web hacking incidents, you are more than welcome to share this information with us.

Use the database

• Browse incidents
• Query incidents
• Use the RSS feed

Frequenty Asked Questions

• What incidents are included in the Web Hacking Incidents Database?
• Where there only few dozen web hacks last year?
• Why can't I find a well known incident in the database?
• How reliable are the incidents reported at WHID?
• Breach vs. Disclosure
• The "Unknown" Threat Classification
• Other statistical resources
• How can I contribute to the project?

Reports

• 2007 Annual Report

Disclaimers

WHID is based entirely on public information. All the incidents listed here where reported publicly before on other web sites and each incident includes references to those sites. Please also note that unless mentioned otherwise all the vulnerabilities listed have already been fixed.