Common Attack Pattern Enumeration and Classification

Common Attack Pattern Enumeration and Classification

CAPEC View by Classification (Release 1.1)

CAPEC View by Classification (Release 1.1)

The Common Attack Pattern Enumeration and Classification (CAPEC), is a list of common attack patterns. Creating the list is a community initiative. Together, these organizations and any others that wish to join the effort, are creating specific and succinct definitions for each of the elements in the CAPEC List. By leveraging the widest possible group of interests and talents we hope to ensure that the CAPEC elements are adequately described and differentiated. The next steps are to adequately capture the specific effects, behaviors, exploit mechanisms, and implementation details in the CAPEC dictionary as well as to review and revise the presentation approaches that will best suit this information.

CAPEC View by Classification (Release 1.1)

Common Attack Pattern Enumeration and Classification

Abuse of Functionality

API Abuse/Misuse

Locate and Exploit Test APIs

Using Unpublished Web Service APIs - (36)Using Unpublished Web Service APIs - (36)

Programming to included script-based APIs

Discovering, querying, and finally calling micro-services, such as w/ AJAX

Leveraging CSS tools (e.g. Mozilla's GreaseMonkey) to change application behavior

Functionality Misuse

Inducing Account Lockout - (2)Inducing Account Lockout - (2)

Password Recovery Exploitation - (50)Password Recovery Exploitation - (50)

Manipulating hidden fields to change the normal flow of transactions (eShoplifting)

Forceful Browsing - (87)Forceful Browsing - (87)

Detect unpublicized web pages

Detect unpublicized web services

Directory Traversal

WSDL Scanning - (95)WSDL Scanning - (95)

Passing Local Filenames to Functions That Expect a URL - (48)Passing Local Filenames to Functions That Expect a URL - (48)

Probing an application by targeting its error reporting - (54)Probing an application by targeting its error reporting - (54)

Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping

Fuzzing and observing application log data/errors for application mapping

Try All Common Application Switches and Options

Cache Poisoning

Abuse of Communication Channels

Choosing a Message/Channel Identifier on a Public/Multicast Channel - (12)Choosing a Message/Channel Identifier on a Public/Multicast Channel - (12)

Exploiting Incorrectly Configured SSL Security Levels

Spoofing

Content Spoofing

Leveraging/Manipulating Configuration File Search Paths - (38)Leveraging/Manipulating Configuration File Search Paths - (38)

Fake the Source of Data

Checksum Spoofing

Spoofing o fUDDI/ebXML Messages

Identity Spoofing (Impersonation)

Principal Spoofing

Man in the Middle Attack - (94)Man in the Middle Attack - (94)

Utilizing Rest’s Trust in the System Resource to Register Man in the Middle - (57)Utilizing Rest’s Trust in the System Resource to Register Man in the Middle - (57)

Create Malicious Client

Client-Server Protocol Manipulation

Reflection Attack in Authentication Protocol - (90)Reflection Attack in Authentication Protocol - (90)

XML Routing Detour Attacks

External Entity Attack

Phishing - (98)Phishing - (98)

Spear Phishing

Mobile Phishing (aka MobPhishing)

Pharming - (89)Pharming - (89)

Probabilistic Techniques

Brute Force

Password Brute Forcing - (49)Password Brute Forcing - (49)

Try Common (default) Usernames and Passwords - (70)Try Common (default) Usernames and Passwords - (70)

Dictionary-based Password Attack - (16)Dictionary-based Password Attack - (16)

Encryption Brute Forcing - (20)Encryption Brute Forcing - (20)

Rainbow Table password cracking - (55)Rainbow Table password cracking - (55)

Fuzzing - (28)Fuzzing - (28)

Cryptanalysis - (97)Cryptanalysis - (97)

Manipulating Opaque Client-based Data Tokens - (39)Manipulating Opaque Client-based Data Tokens - (39)

Fingerprinting

Web Server/Application Fingerprinting (see WASC)

Footprinting

Client Network Footprinting (using AJAX/XSS) - (85)Client Network Footprinting (using AJAX/XSS) - (85)

Screen Temporary Files for Sensitive Information

Exploitation of Authentication

Authentication Bypass

Authentication Abuse

Reflection Attack in Authentication Protocol - (90)Reflection Attack in Authentication Protocol - (90)

Exploitation of Session Variables, Resource IDs and other Trusted Credentials - (21)Exploitation of Session Variables, Resource IDs and other Trusted Credentials - (21)

Session Credential Falsification through Forging

Session Credential Falsification through Prediction - (59)Session Credential Falsification through Prediction - (59)

Session Credential Falsification through Manipulation

Reusing Session IDs (aka Session Replay) - (60)Reusing Session IDs (aka Session Replay) - (60)

Session Fixation - (61)Session Fixation - (61)

Cross-site Request Forgery (aka Session Riding) - (62)Cross-site Request Forgery (aka Session Riding) - (62)

Resource Depletion

Denial of Service through Resource Depletion

Resource Depletion through Flooding

Resource Depletion through Allocation

Resource Depletion through DTD Injection in a SOAP Message

Resource Depletion through Leak

Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) - (82)Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) - (82)

XML Parser Attack - (99)XML Parser Attack - (99)

Recursive Payloads Sent to XML Parsers

Oversized Payloads Sent to XML Parsers

XML Ping of Death

Exploitation of Privilege/Trust

Privilege Escalation

Accessing, Modifying or Executing Executable Files - (17)Accessing, Modifying or Executing Executable Files - (17)

Manipulating Writeable Configuration Files - (75)Manipulating Writeable Configuration Files - (75)

Restful Privilege Elevation - (58)Restful Privilege Elevation - (58)

Symlink Attacks

Hijacking a privileged process

Hijacking a Privileged Thread of Execution - (30)Hijacking a Privileged Thread of Execution - (30)

Implementing a callback to system routine (old AWT Queue)

Catching exception throw/signal from privileged block

Subvert Code-signing Facilities - (68)Subvert Code-signing Facilities - (68)

Calling signed code from another language within a sandbox that allows this

Lifting signing key and signing malicious code from a production environment

Using URL/codebase / G.A.C. (code source) to convince sandbox of privilege

Target Programs with Elevated Privileges - (69)Target Programs with Elevated Privileges - (69)

Exploiting Trust in Client (aka Make the Client Invisible) - (22)Exploiting Trust in Client (aka Make the Client Invisible) - (22)

Man in the Middle Attack - (94)Man in the Middle Attack - (94)

Utilizing Rest’s Trust in the System Resource to Register Man in the Middle - (57)Utilizing Rest’s Trust in the System Resource to Register Man in the Middle - (57)

Create Malicious Client

Client-Server Protocol Manipulation

Reflection Attack in Authentication Protocol - (90)Reflection Attack in Authentication Protocol - (90)

Lifting Sensitive Data from the Client

Lifting Data Embedded in Client Distributions - (37)Lifting Data Embedded in Client Distributions - (37)

Lifting credential(s)/key material embedded in client distributions (thick or thin)

Lifting cached, sensitive data embedded in client distributions (thick or thin)

Reflection Attack in Authentication Protocol - (90)Reflection Attack in Authentication Protocol - (90)

Removing Important Functionality from the Client

Removing/short-circuiting 'guard logic' - (56)Removing/short-circuiting 'guard logic' - (56)

Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements

Removal of filters: Input filters, output filters, data masking

Subversion of authorization checks: cache filtering, programmatic security, etc.

Exploitation of Authorization

Accessing Functionality Not Properly Constrained by ACLs - (1)Accessing Functionality Not Properly Constrained by ACLs - (1)

Exploiting Incorrectly Configured Access Control Security Levels

Injection (Injecting Control Plane content through the Data Plane)

Analog In-Band Switching Signals (aka “Blue Boxing”) - (5)Analog In-Band Switching Signals (aka “Blue Boxing”) - (5)

Parameter Injection

Argument Injection - (6)Argument Injection - (6)

Manipulating Input to File System Calls - (76)Manipulating Input to File System Calls - (76)

Resource Injection

Code Injection

File System Function Injection, Content Based - (23)File System Function Injection, Content Based - (23)

Script Injection

File System Function Injection, Content Based - (23)File System Function Injection, Content Based - (23)

Simple Script Injection - (63)Simple Script Injection - (63)

Embedding Scripts within Scripts - (19)Embedding Scripts within Scripts - (19)

Embedding Scripts in Nonscript Elements - (18)Embedding Scripts in Nonscript Elements - (18)

Embedding Script (XSS ) in HTTP Headers - (86)Embedding Script (XSS ) in HTTP Headers - (86)

Embedding Scripts in HTTP Query Strings - (32)Embedding Scripts in HTTP Query Strings - (32)

XSS in Error Pages

XSS in IMG Tags - (91)XSS in IMG Tags - (91)

XSS in Attributes

XSS via Encoded URI Schemes

XSS Using Doubled Characters, e.g. %3C%3Cscript

XSS Using Alternate Syntax

XSS with Masking through Invalid Characters in Identifiers

XSS Footprinting

Using Meta-characters in E-mail Headers to Inject Malicious Payloads - (41)Using Meta-characters in E-mail Headers to Inject Malicious Payloads - (41)

Command Injection

Command Delimiters - (15)Command Delimiters - (15)

OS Command Injection - (88)OS Command Injection - (88)

SQL Injection - (66)SQL Injection - (66)

Blind SQL Injection - (7)Blind SQL Injection - (7)

SQL Injection through SOAP Parameter Tampering

Character Injection

Manipulating WriteableTerminal Devices - (40)Manipulating WriteableTerminal Devices - (40)

LDAP Injection

XML Injection

Xpath Injection - (83)Xpath Injection - (83)

Xquery Injection - (84)Xquery Injection - (84)

Remote Code Inclusion

Server Side Include (SSI) Injection - (101)Server Side Include (SSI) Injection - (101)

Format String Injection

Reflection Injection

Email Injection

Using Meta-characters in E-mail Headers to Inject Malicious Payloads - (41)Using Meta-characters in E-mail Headers to Inject Malicious Payloads - (41)

DTD Injection in a SOAP Message

Data Structure Attacks

Buffer Attacks

Overflow Buffers - (100)Overflow Buffers - (100)

Filter Failure through Buffer Overflow - (24)Filter Failure through Buffer Overflow - (24)

Buffer Overflow via Environment Variables - (10)Buffer Overflow via Environment Variables - (10)

Buffer Overflow in an API Call - (8)Buffer Overflow in an API Call - (8)

Buffer Overflow in Local Command-Line Utilities - (9)Buffer Overflow in Local Command-Line Utilities - (9)

Overflow Variables and Tags - (46)Overflow Variables and Tags - (46)

Buffer Overflow via Symbolic Links - (45)Buffer Overflow via Symbolic Links - (45)

String Format Overflow in syslog() - (67)String Format Overflow in syslog() - (67)

Client-side Injection-induced Buffer Overflow - (14)Client-side Injection-induced Buffer Overflow - (14)

Overflow Binary Resource File - (44)Overflow Binary Resource File - (44)

Accessing/Intercepting/Modifying HTTP Cookies - (31)Accessing/Intercepting/Modifying HTTP Cookies - (31)

Buffer Overflow via Parameter Expansion - (47)Buffer Overflow via Parameter Expansion - (47)

MIME Conversion - (42)MIME Conversion - (42)

SOAP Array Overflow

Integer Attacks

Forced Integer Overflow - (92)Forced Integer Overflow - (92)

Pointer Attacks

Attack through Shared Data

Data Leakage Attacks

Data Interception Attacks

Sniffing Attacks

Sniffing Information Sent Over Public/multicast Networks

Passively Sniff and Capture Application Code Bound for an Authorized Client - (65)Passively Sniff and Capture Application Code Bound for an Authorized Client - (65)

Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update

Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching

Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Initial Distribution

Data Excavation Attacks

Probing an application by targeting its error reporting - (54)Probing an application by targeting its error reporting - (54)

Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping

Fuzzing and observing application log data/errors for application mapping

Fuzzing for garnering (through web or log) other adjacent user/sensitive data as an authorized system user (overly broad but valid SQL queries)

Resource Manipulation

File manipulation

Accessing, Modifying or Executing Executable Files - (17)Accessing, Modifying or Executing Executable Files - (17)

File System Function Injection, Content Based - (23)File System Function Injection, Content Based - (23)

Overflow Binary Resource File - (44)Overflow Binary Resource File - (44)

User-Controlled Filename - (73)User-Controlled Filename - (73)

Leverage Executable Code in Nonexecutable Files - (35)Leverage Executable Code in Nonexecutable Files - (35)

Cause Web Server Misclassification - (11)Cause Web Server Misclassification - (11)

Force Use of Corruped Files

Create files with the same name as files protected with a higher classification

Configuration/Environment manipulation

Manipulating Writeable Configuration Files - (75)Manipulating Writeable Configuration Files - (75)

Manipulate Application Registry Values

Block Access to Libraries - (96)Block Access to Libraries - (96)

Redirect Access to Libraries

Variable manipulation

Manipulating Input to File System Calls - (76)Manipulating Input to File System Calls - (76)

Environment variable manipulation

Subverting Environment Variable Values - (13)Subverting Environment Variable Values - (13)

Global variable manipulation

Manipulating User-Controlled Variables - (77)Manipulating User-Controlled Variables - (77)

Force the System to Reset Values

Input Data Manipulation

Manipulate Canonicalization

Cause Web Server Misclassification - (11)Cause Web Server Misclassification - (11)

Leverage Alternate Encoding

Using Unicode Encoding to Bypass Validation Logic - (71)Using Unicode Encoding to Bypass Validation Logic - (71)

Using UTF-8 Encoding to Bypass Validation Logic - (80)Using UTF-8 Encoding to Bypass Validation Logic - (80)

URL Encoding

Embedding NULL Bytes - (52)Embedding NULL Bytes - (52)

Postfix, Null Terminate, and Backslash - (53)Postfix, Null Terminate, and Backslash - (53)

Using Leading 'Ghost' Character Sequences to Bypass Input Filters - (3)Using Leading 'Ghost' Character Sequences to Bypass Input Filters - (3)

Using Slashes in Alternate Encoding - (79)Using Slashes in Alternate Encoding - (79)

Using Escaped Slashes in Alternate Encoding - (78)Using Escaped Slashes in Alternate Encoding - (78)

Using Slashes and URL Encoding Combined to Bypass Validation Logic - (64)Using Slashes and URL Encoding Combined to Bypass Validation Logic - (64)

Using Alternative IP Address Encodings - (4)Using Alternative IP Address Encodings - (4)

Exploiting Multiple Input Interpretation Layers - (43)Exploiting Multiple Input Interpretation Layers - (43)

Double Encoding

Resource Location Attacks

Leveraging/Manipulating Configuration File Search Paths - (38)Leveraging/Manipulating Configuration File Search Paths - (38)

Path Traversal

Using Slashes in Alternate Encoding - (79)Using Slashes in Alternate Encoding - (79)

Using Escaped Slashes in Alternate Encoding - (78)Using Escaped Slashes in Alternate Encoding - (78)

Using Slashes and URL Encoding Combined to Bypass Validation Logic - (64)Using Slashes and URL Encoding Combined to Bypass Validation Logic - (64)

Relative Path Traversal

Common resource location exploration

Explore for predictable temporary file names

Directory Indexing

Audit Log Manipulation

Web Logs Tampering - (81)Web Logs Tampering - (81)

Log Injection-Tampering-Forging - (93)Log Injection-Tampering-Forging - (93)

Registry Manipulation

Poison Web Service Registry - (51)Poison Web Service Registry - (51)

Craft a Maliciously Misconfigured Registry

Infrastructure Manipulation

Pharming - (89)Pharming - (89)

DNS Cache Poisoning

Schema Poisoning

XML Schema Poisoning

Protocol Manipulation

Client Server Protocol Manipulation

Embedding Script (XSS ) in HTTP Headers - (86)Embedding Script (XSS ) in HTTP Headers - (86)

HTTP Response Splitting - (34)HTTP Response Splitting - (34)

HTTP Request Smuggling - (33)HTTP Request Smuggling - (33)

Embedding Script (XSS ) in HTTP Headers - (86)Embedding Script (XSS ) in HTTP Headers - (86)

Embedding Scripts in HTTP Query Strings - (32)Embedding Scripts in HTTP Query Strings - (32)

Inter-component Protocol Manipulation

Data Interchange Protocol Manipulation

Web Services Protocol Manipulation

XML External Entity Attack

Soap Manipulation

DTD Injection in a SOAP Message

DTD Injection in a SOAP Message

SOAP Parameter Tampering

SQL Injection through SOAP Parameter Tampering

Windows ::DATA Alternate Data Stream

Time and State Attacks

Manipulating User State - (74)Manipulating User State - (74)

Bypassing of Intermediate Forms in Multiple-Form Sets

Forced Deadlock - (25)Forced Deadlock - (25)

Leveraging Race Conditions - (26)Leveraging Race Conditions - (26)

Leveraging Race Conditions via Symbolic Links - (27)Leveraging Race Conditions via Symbolic Links - (27)

Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions - (29)Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions - (29)