CAPEC - Common Attack Pattern Enumeration and Classification (CAPEC)

About CAPEC
Documents
Glossary
FAQs

CAPEC List
Full CAPEC Dictionary
Methods of Attack View
Reports
Submit Content

Community
Use & Citations
Related Activities
Discussion List
Contact Us

Compatibility
Program
Requirements
Participants
Make a Declaration

News & Events
Calendar
Free Newsletter

Search the Site

More News »

Status Report

Version 2.3 was released on February 6, 2014, and includes the following: 20 new attack patterns, and the addition of 12 new mappings for 5 entries. In addition, the observables namespace was updated to reflect Cyber Observable eXpression (CybOX™) Version 2.1 in the CAPEC Schema, which is now at Version 2.7. Read the release notes.

To respond effectively to today’s attacks, the community needs to think outside of the box and have a firm grasp of the attacker’s perspective and the approaches used to exploit software systems. CAPEC™ provides this information to the community to enhance security throughout the software development lifecycle and to support the needs of developers, testers, and educators.

International in scope and free for public use, CAPEC is a publicly available, community-developed list of common attack patterns along with a comprehensive schema and classification taxonomy. Each attack pattern captures knowledge about how specific parts of an attack are designed and executed, providing the attacker’s perspective on the problem and the solution, and gives guidance on ways to mitigate the attack’s effectiveness. Attack patterns help those trying to defend against attacks better understand the specific elements of an attack and how to stop them from succeeding.

What are Attack Patterns?

An "attack pattern" is an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed. Each pattern defines a challenge that an attacker may face, provides a description of the common technique(s) used to meet the challenge, and presents recommended methods for mitigating an actual attack. Attack patterns help categorize attacks in a meaningful way in an effort to provide a coherent way of teaching designers and developers how their systems may be attacked and how they can effectively defend them.
Example Attack Patterns

CAPEC-34: HTTP Response Splitting	CAPEC-66: SQL Injection
CAPEC-55: Rainbow Tables	CAPEC-100: Buffer Overflow
CAPEC-61: Session Fixation	CAPEC-103: Clickjacking
CAPEC-62: Cross Site Request Forgery	CAPEC-139: Relative Path Traversal
CAPEC-63: Simple Script Injection	CAPEC-229: XML Attribute Blowup

The entire CAPEC List (Version 2.3) is available here.

Related Efforts
Cyber Observables (CybOX) Structured Threat Information (STIX) Malware (MAEC) Threat Information Exchange (TAXII)	Vulnerabilities (CVE) Software Weakness Types (CWE) Build Security In (BSI) Making Security Measurable (MSM)

Page Last Updated: March 07, 2014


	CAPEC is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2007 - 2014, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us