CAPEC - Common Attack Pattern Enumeration and Classification (CAPEC)

About CAPEC
Documents
Glossary
FAQs

CAPEC List
Search
Review
Downloads
Documentation
Release Notes
Archive
Submit Content

Community
Use & Citations
Related Activities
Discussion List
Contact Us

Compatibility
Program
Requirements
Participants
Make a Declaration

News & Events
Calendar
Free Newsletter

Search the Site

More News »

Status Report

Version 2.6 was released on July 23, 2014, and includes the following: 10 new attack patterns added, 6 attack patterns deprecated, 1 CAPEC -> Common Weakness Enumeration (CWE™) mapping added, and 2 CAPEC -> CWE mappings removed. There are now 463 total attack patterns listed. There were no schema updates. Read the release notes.

To respond effectively to today’s attacks, the community needs to think outside of the box and have a firm grasp of the attacker’s perspective and the approaches used to exploit cyber-enabled capabilities. CAPEC™ provides this information to the community to enhance security throughout a capabilities' lifecycle and to support the needs of developers, testers, and educators.

International in scope and free for public use, CAPEC is a publicly available, community-developed list of common attack patterns along with a comprehensive schema and classification taxonomy. Each attack pattern captures knowledge about how specific parts of an attack are designed and executed, providing the attacker’s perspective on the problem and the solution, and gives guidance on ways to mitigate the attack’s effectiveness. Attack patterns help those trying to defend against attacks better understand the specific elements of an attack and how to stop them from succeeding.

What are Attack Patterns?

An "attack pattern" is an abstraction mechanism to assist in understanding how an attack against vulnerable cyber-enabled capabilities is executed. Each pattern defines a challenge that an adversary may face, provides a description of the common technique(s) used to meet the challenge, and presents recommended methods for mitigating an actual attack. Attack patterns help categorize attacks in a meaningful way in an effort to provide a coherent way of teaching designers and developers how their systems may be attacked and how they can effectively defend them.
Example Attack Patterns

CAPEC-34: HTTP Response Splitting	CAPEC-66: SQL Injection
CAPEC-55: Rainbow Tables	CAPEC-100: Buffer Overflow
CAPEC-61: Session Fixation	CAPEC-103: Clickjacking
CAPEC-62: Cross Site Request Forgery	CAPEC-139: Relative Path Traversal
CAPEC-63: Simple Script Injection	CAPEC-229: XML Attribute Blowup

The entire CAPEC List Version 2.6 is available here.

Related Efforts
Cyber Observables (CybOX) Structured Threat Information (STIX) Malware (MAEC) Threat Information Exchange (TAXII)	Vulnerabilities (CVE) Software Weakness Types (CWE) Build Security In (BSI) Making Security Measurable (MSM)

Page Last Updated: July 23, 2014


	CAPEC is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2007 - 2014, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.	Privacy policy Terms of use Contact us