Awesome

Overview

The goal of this project is to maintain a list of bug websites such as Heartbleed.com. Contributions welcome!

Websites

• Backronym.fail – allows for an attacker to downgrade and snoop on the SSL/TLS connection that MySQL client libraries use to communicate to a MySQL server.
• Badlock.org – MITM attack for samba in an Active Directory environment.
• BreachAttack.com – HTTPS information leak by compression. Related to CRIME.
• Dirty COW – a privilege escalation vulnerability in the Linux Kernel.
• DUHK Attack – devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key allows attackers to recover the secret key.
• DrownAttack.com – attacks servers supporting modern TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol.
• Factorable.net – widespread weak keys in network devices.
• FreakAttack.com – allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption
• GoToFail.com – certain Apple iOS versions did not check TLS certificate validity.
• Heartbleed.com – OpenSSL memory leak which could leak private keys.
• httpoxy.org – insecure handling of HTTP proxy environment variable in CGI applications.
• ImageTragick.com – remote code execution in imagemagick via user-submitted images.
• KRACKAttacks.com – WPA2 vulnerability resulting from nonce reuse that enables decryption of sent packets. In some cases this leads to MITM.
• MeltdownAttack.com - Information leak via broken isolation between priviledged and unpriviledged memory.
• OCSP Status Request - Allows exhaustion of server memory through OSCP Status Requests.
• Poodle.io – allows MITM attacker to downgrade TLS connections and decrypt SSLv3 connections.
• ROBOTAttack.org – Return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.
• SHAttered.io - Collision attack against SHA-1.
• SpectreAttack.com - Information leak via speculative execution behaviors in modern CPUs.
• Sweet32.info - Birthday attacks on 64-bit block ciphers in TLS and OpenVPN.
• WeakDH.org – applications which support DHE_EXPORT ciphers allow MITM via weak Diffie-Hellman keys.