CAPEC - Common Attack Pattern Enumeration and Classification (A Community of Knowledge Resource for Building Secure Software)
Home > CAPEC List > VIEW LIST: CAPEC-2000: Comprehensive CAPEC Dictionary (Release 1.4)  

CAPEC-2000: Comprehensive CAPEC Dictionary

 
Comprehensive CAPEC Dictionary
Definition in a New Window Definition in a New Window
View ID: 2000 (View: Implicit Slice)Status: Draft
+ View Data

View Structure: Implicit_Slice

View Objective

This view (slice) covers all the elements in CAPEC.

Filter Used: true()

CAPECs in this viewTotal CAPECs
Total310out of310
Views5out of5
Categories18out of18
Attack Patterns287out of287
CategoryCategory Abuse of Communication Channels - (216)
CategoryCategory Abuse of Functionality - (210)
Attack PatternAttack Pattern Abuse of transaction data strutcture - (257)
Attack PatternAttack Pattern Accessing Functionality Not Properly Constrained by ACLs - (1)
Attack PatternAttack Pattern Accessing, Modifying or Executing Executable Files - (17)
Attack PatternAttack Pattern Accessing/Intercepting/Modifying HTTP Cookies - (31)
Attack PatternAttack Pattern Action Spoofing - (173)
Attack PatternAttack Pattern Analog In-band Switching Signals (aka Blue Boxing) - (5)
Attack PatternAttack Pattern Analytic Attacks - (281)
Attack PatternAttack Pattern API Abuse/Misuse - (113)
Attack PatternAttack Pattern Argument Injection - (6)
Attack PatternAttack Pattern Attack through Shared Data - (124)
Attack PatternAttack Pattern Audit Log Manipulation - (268)
Attack PatternAttack Pattern Authentication Abuse - (114)
Attack PatternAttack Pattern Authentication Bypass - (115)
Attack PatternAttack Pattern Blind SQL Injection - (7)
Attack PatternAttack Pattern Block Access to Libraries - (96)
Attack PatternAttack Pattern Brute Force - (112)
Attack PatternAttack Pattern Buffer Attacks - (123)
Attack PatternAttack Pattern Buffer Overflow in an API Call - (8)
Attack PatternAttack Pattern Buffer Overflow in Local Command-Line Utilities - (9)
Attack PatternAttack Pattern Buffer Overflow via Environment Variables - (10)
Attack PatternAttack Pattern Buffer Overflow via Parameter Expansion - (47)
Attack PatternAttack Pattern Buffer Overflow via Symbolic Links - (45)
Attack PatternAttack Pattern Bypassing of Intermediate Forms in Multiple-Form Sets - (140)
Attack PatternAttack Pattern Cache Poisoning - (141)
Attack PatternAttack Pattern Calling signed code from another language within a sandbox that allows this - (237)
Attack PatternAttack Pattern Catching exception throw/signal from privileged block - (236)
Attack PatternAttack Pattern Cause Web Server Misclassification - (11)
Attack PatternAttack Pattern Character Injection - (249)
Attack PatternAttack Pattern Checksum Spoofing - (145)
Attack PatternAttack Pattern Choosing a Message/Channel Identifier on a Public/Multicast Channel - (12)
Attack PatternAttack Pattern Clickjacking - (103)
Attack PatternAttack Pattern Client Network Footprinting (using AJAX/XSS) - (85)
Attack PatternAttack Pattern Client-Server Protocol Manipulation - (220)
Attack PatternAttack Pattern Client-side Injection-induced Buffer Overflow - (14)
Attack PatternAttack Pattern Code Inclusion - (175)
Attack PatternAttack Pattern Code Injection - (241)
Attack PatternAttack Pattern Command Delimiters - (15)
Attack PatternAttack Pattern Command Injection - (248)
Attack PatternAttack Pattern Command Line Execution through SQL Injection - (108)
Attack PatternAttack Pattern Common resource location exploration - (150)
ViewView Comprehensive CAPEC Dictionary - (2000)
Attack PatternAttack Pattern Configuration/Environment manipulation - (176)
Attack PatternAttack Pattern Content Spoofing - (148)
Attack PatternAttack Pattern Craft a Maliciously Misconfigured Registry - (270)
Attack PatternAttack Pattern Create files with the same name as files protected with a higher classification - (177)
Attack PatternAttack Pattern Create Malicious Client - (202)
Attack PatternAttack Pattern Cross Site Request Forgery (aka Session Riding) - (62)
Attack PatternAttack Pattern Cross Site Scripting through Log Files - (106)
Attack PatternAttack Pattern Cross Site Tracing - (107)
Attack PatternAttack Pattern Cross Zone Scripting - (104)
Attack PatternAttack Pattern Cross-Site Flashing - (178)
Attack PatternAttack Pattern Cross-Site Scripting in Attributes - (243)
Attack PatternAttack Pattern Cross-Site Scripting in Error Pages - (198)
Attack PatternAttack Pattern Cross-Site Scripting Using Alternate Syntax - (199)
Attack PatternAttack Pattern Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript - (245)
Attack PatternAttack Pattern Cross-Site Scripting Using Flash - (246)
Attack PatternAttack Pattern Cross-Site Scripting Using MIME Type Mismatch - (209)
Attack PatternAttack Pattern Cross-Site Scripting via Encoded URI Schemes - (244)
Attack PatternAttack Pattern Cross-Site Scripting with Masking through Invalid Characters in Identifiers - (247)
Attack PatternAttack Pattern Cryptanalysis - (97)
Attack PatternAttack Pattern Data Excavation Attacks - (116)
Attack PatternAttack Pattern Data Interception Attacks - (117)
Attack PatternAttack Pattern Data Interchange Protocol Manipulation - (277)
CategoryCategory Data Leakage Attacks - (118)
CategoryCategory Data Structure Attacks - (255)
Attack PatternAttack Pattern Denial of Service through Resource Depletion - (227)
ViewView Detailed Abstractions - (284)
Attack PatternAttack Pattern Detect Unpublicised Web Pages - (143)
Attack PatternAttack Pattern Detect Unpublicised Web Services - (144)
Attack PatternAttack Pattern Dictionary-based Password Attack - (16)
Attack PatternAttack Pattern Directory Indexing - (127)
Attack PatternAttack Pattern Directory Traversal - (213)
Attack PatternAttack Pattern Discovering, querying, and finally calling micro-services, such as w/ AJAX - (179)
Attack PatternAttack Pattern DNS Cache Poisoning - (142)
Attack PatternAttack Pattern DNS Rebinding - (275)
Attack PatternAttack Pattern DNS Zone Transfers - (291)
Attack PatternAttack Pattern Double Encoding - (120)
Attack PatternAttack Pattern DTD Injection in a SOAP Message - (254)
Attack PatternAttack Pattern Email Injection - (134)
Attack PatternAttack Pattern Embedding NULL Bytes - (52)
Attack PatternAttack Pattern Embedding Script (XSS ) in HTTP Headers - (86)
Attack PatternAttack Pattern Embedding Scripts in HTTP Query Strings - (32)
Attack PatternAttack Pattern Embedding Scripts in Nonscript Elements - (18)
Attack PatternAttack Pattern Embedding Scripts within Scripts - (19)
Attack PatternAttack Pattern Encryption Brute Forcing - (20)
Attack PatternAttack Pattern Enumerate Mail Exchange (MX) Records - (290)
Attack PatternAttack Pattern Environment variable manipulation - (264)
CategoryCategory Exploitation of Authentication - (225)
Attack PatternAttack Pattern Exploitation of Authorization - (122)
CategoryCategory Exploitation of Privilege/Trust - (232)
Attack PatternAttack Pattern Exploitation of Session Variables, Resource IDs and other Trusted Credentials - (21)
Attack PatternAttack Pattern Exploiting Incorrectly Configured Access Control Security Levels - (180)
Attack PatternAttack Pattern Exploiting Incorrectly Configured SSL Security Levels - (217)
Attack PatternAttack Pattern Exploiting Multiple Input Interpretation Layers - (43)
Attack PatternAttack Pattern Exploiting Trust in Client (aka Make the Client Invisible) - (22)
Attack PatternAttack Pattern Explore for predictable temporary file names - (149)
Attack PatternAttack Pattern External Entity Attack - (201)
Attack PatternAttack Pattern External Entity Attack - (221)
Attack PatternAttack Pattern Fake the Source of Data - (194)
Attack PatternAttack Pattern File Manipulation - (165)
Attack PatternAttack Pattern File System Function Injection, Content Based - (23)
Attack PatternAttack Pattern Filter Failure through Buffer Overflow - (24)
CategoryCategory Fingerprinting - (224)
Attack PatternAttack Pattern Flash File Overlay - (181)
Attack PatternAttack Pattern Flash Injection - (182)
Attack PatternAttack Pattern Flash Parameter Injection - (174)
Attack PatternAttack Pattern Footprinting - (169)
Attack PatternAttack Pattern Force the System to Reset Values - (166)
Attack PatternAttack Pattern Force Use of Corruped Files - (263)
Attack PatternAttack Pattern Forced Deadlock - (25)
Attack PatternAttack Pattern Forced Integer Overflow - (92)
Attack PatternAttack Pattern Forceful Browsing - (87)
Attack PatternAttack Pattern Format String Injection - (135)
CategoryCategory Functionality Misuse - (212)
Attack PatternAttack Pattern Fuzzing - (28)
Attack PatternAttack Pattern Fuzzing and observing application log data/errors for application mapping - (215)
Attack PatternAttack Pattern Fuzzing for garnering (through web or log) other adjacent user/sensitive data as an authorized system user (overly broad but valid SQL queries) - (261)
Attack PatternAttack Pattern Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping - (214)
Attack PatternAttack Pattern Global variable manipulation - (265)
Attack PatternAttack Pattern Hijacking a privileged process - (234)
Attack PatternAttack Pattern Hijacking a Privileged Thread of Execution - (30)
Attack PatternAttack Pattern Host Discovery - (292)
Attack PatternAttack Pattern HTTP Request Smuggling - (33)
Attack PatternAttack Pattern HTTP Request Splitting - (105)
Attack PatternAttack Pattern HTTP Response Smuggling - (273)
Attack PatternAttack Pattern HTTP Response Splitting - (34)
Attack PatternAttack Pattern HTTP Verb Tampering - (274)
Attack PatternAttack Pattern ICMP Address Mask Request - (294)
Attack PatternAttack Pattern ICMP Echo Request Ping - (285)
Attack PatternAttack Pattern ICMP Echo Request Ping - (288)
Attack PatternAttack Pattern ICMP Information Request - (296)
Attack PatternAttack Pattern ICMP Timestamp Request - (295)
Attack PatternAttack Pattern Identity Spoofing (Impersonation) - (151)
Attack PatternAttack Pattern iFrame Overlay - (222)
Attack PatternAttack Pattern IMAP/SMTP Command Injection - (183)
Attack PatternAttack Pattern Implementing a callback to system routine (old AWT Queue) - (235)
Attack PatternAttack Pattern Inducing Account Lockout - (2)
Attack PatternAttack Pattern Infrastructure Manipulation - (161)
Attack PatternAttack Pattern Infrastructure-based footprinting - (289)
CategoryCategory Injection (Injecting Control Plane content through the Data Plane) - (152)
Attack PatternAttack Pattern Input Data Manipulation - (153)
Attack PatternAttack Pattern Integer Attacks - (128)
Attack PatternAttack Pattern Inter-component Protocol Manipulation - (276)
Attack PatternAttack Pattern JSON Hijacking (aka JavaScript Hijacking) - (111)
Attack PatternAttack Pattern LDAP Injection - (136)
Attack PatternAttack Pattern Leverage Alternate Encoding - (267)
Attack PatternAttack Pattern Leverage Executable Code in Nonexecutable Files - (35)
Attack PatternAttack Pattern Leveraging Race Conditions - (26)
Attack PatternAttack Pattern Leveraging Race Conditions via Symbolic Links - (27)
Attack PatternAttack Pattern Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions - (29)
Attack PatternAttack Pattern Leveraging web tools (e.g. Mozilla's GreaseMonkey, Firebug) to change application behavior - (211)
Attack PatternAttack Pattern Leveraging/Manipulating Configuration File Search Paths - (38)
Attack PatternAttack Pattern Lifting cached, sensitive data embedded in client distributions (thick or thin) - (204)
Attack PatternAttack Pattern Lifting credential(s)/key material embedded in client distributions (thick or thin) - (205)
Attack PatternAttack Pattern Lifting Data Embedded in Client Distributions - (37)
Attack PatternAttack Pattern Lifting Sensitive Data from the Client - (167)
Attack PatternAttack Pattern Lifting signing key and signing malicious code from a production environment - (206)
Attack PatternAttack Pattern Local Code Inclusion - (251)
Attack PatternAttack Pattern Locate and Exploit Test APIs - (121)
Attack PatternAttack Pattern Log Injection-Tampering-Forging - (93)
Attack PatternAttack Pattern Malicious Automated Software Update - (187)
Attack PatternAttack Pattern Malicious Software Download - (185)
Attack PatternAttack Pattern Malicious Software Update - (186)
Attack PatternAttack Pattern Man in the Middle Attack - (94)
Attack PatternAttack Pattern Manipulate Application Registry Values - (203)
Attack PatternAttack Pattern Manipulate Canonicalization - (266)
Attack PatternAttack Pattern Manipulating hidden fields to change the normal flow of transactions (eShoplifting) - (162)
Attack PatternAttack Pattern Manipulating Input to File System Calls - (76)
Attack PatternAttack Pattern Manipulating Opaque Client-based Data Tokens - (39)
Attack PatternAttack Pattern Manipulating User State - (74)
Attack PatternAttack Pattern Manipulating User-Controlled Variables - (77)
Attack PatternAttack Pattern Manipulating Writeable Configuration Files - (75)
Attack PatternAttack Pattern Manipulating Writeable Terminal Devices - (40)
ViewView Mechanism of Attack - (1000)
ViewView Meta Abstractions - (282)
Attack PatternAttack Pattern MIME Conversion - (42)
Attack PatternAttack Pattern Mobile Phishing (aka MobPhishing) - (164)
Attack PatternAttack Pattern Network Reconnaissance - (286)
Attack PatternAttack Pattern Object Relational Mapping Injection - (109)
Attack PatternAttack Pattern OS Command Injection - (88)
Attack PatternAttack Pattern Overflow Binary Resource File - (44)
Attack PatternAttack Pattern Overflow Buffers - (100)
Attack PatternAttack Pattern Overflow Variables and Tags - (46)
Attack PatternAttack Pattern Oversized Payloads Sent to XML Parsers - (231)
Attack PatternAttack Pattern Parameter Injection - (137)
Attack PatternAttack Pattern Passing Local Filenames to Functions That Expect a URL - (48)
Attack PatternAttack Pattern Passively Sniff and Capture Application Code Bound for Authorized Client - (65)
Attack PatternAttack Pattern Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update - (258)
Attack PatternAttack Pattern Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Initial Distribution - (260)
Attack PatternAttack Pattern Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching - (259)
Attack PatternAttack Pattern Password Brute Forcing - (49)
Attack PatternAttack Pattern Password Recovery Exploitation - (50)
CategoryCategory Path Traversal - (126)
Attack PatternAttack Pattern Pharming - (89)
Attack PatternAttack Pattern Phishing - (98)
Attack PatternAttack Pattern PHP Local File Inclusion - (252)
Attack PatternAttack Pattern PHP Remote File Inclusion - (193)
Attack PatternAttack Pattern Pointer Attack - (129)
Attack PatternAttack Pattern Poison Web Service Registry - (51)
Attack PatternAttack Pattern Port Scanning - (300)
Attack PatternAttack Pattern Postfix, Null Terminate, and Backslash - (53)
Attack PatternAttack Pattern Principal Spoofing - (195)
CategoryCategory Privilege Escalation - (233)
CategoryCategory Probabilistic Techniques - (223)
Attack PatternAttack Pattern Probing an Application Through Targeting its Error Reporting - (54)
Attack PatternAttack Pattern Programming to included script-based APIs - (160)
Attack PatternAttack Pattern Protocol Manipulation - (272)
Attack PatternAttack Pattern Protocol Reverse Engineering - (192)
Attack PatternAttack Pattern Rainbow Table Password Cracking - (55)
Attack PatternAttack Pattern Read Sensitive Stings Within an Executable - (191)
Attack PatternAttack Pattern Recursive Payloads Sent to XML Parsers - (230)
Attack PatternAttack Pattern Redirect Access to Libraries - (159)
Attack PatternAttack Pattern Reflection Attack in Authentication Protocol - (90)
Attack PatternAttack Pattern Reflection Injection - (138)
Attack PatternAttack Pattern Registry Manipulation - (269)
Attack PatternAttack Pattern Relative Path Traversal - (139)
CategoryCategory Remote Code Inclusion - (253)
Attack PatternAttack Pattern Removal of filters: Input filters, output filters, data masking - (200)
Attack PatternAttack Pattern Removing Important Functionality from the Client - (207)
Attack PatternAttack Pattern Removing/short-circuiting 'guard logic' - (56)
Attack PatternAttack Pattern Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements - (208)
CategoryCategory Resource Depletion - (119)
Attack PatternAttack Pattern Resource Depletion through Allocation - (130)
Attack PatternAttack Pattern Resource Depletion through DTD Injection in a SOAP Message - (228)
Attack PatternAttack Pattern Resource Depletion through Flooding - (125)
Attack PatternAttack Pattern Resource Depletion through Leak - (131)
Attack PatternAttack Pattern Resource Injection - (240)
Attack PatternAttack Pattern Resource Location Attacks - (154)
CategoryCategory Resource Manipulation - (262)
Attack PatternAttack Pattern Restful Privilege Elevation - (58)
Attack PatternAttack Pattern Reusing Session IDs (aka Session Replay) - (60)
Attack PatternAttack Pattern Reverse Engineer an Executable to Expose Assumed Hidden Functionality or Content - (190)
Attack PatternAttack Pattern Reverse Engineering - (188)
Attack PatternAttack Pattern Schema Poisoning - (271)
Attack PatternAttack Pattern Screen Temporary Files for Sensitive Information - (155)
Attack PatternAttack Pattern Script Injection - (242)
Attack PatternAttack Pattern Server Side Include (SSI) Injection - (101)
Attack PatternAttack Pattern Session Credential Falsification through Forging - (196)
Attack PatternAttack Pattern Session Credential Falsification through Manipulation - (226)
Attack PatternAttack Pattern Session Credential Falsification through Prediction - (59)
Attack PatternAttack Pattern Session Fixation - (61)
Attack PatternAttack Pattern Session Sidejacking - (102)
Attack PatternAttack Pattern Simple Script Injection - (63)
Attack PatternAttack Pattern Sniffing Attacks - (157)
Attack PatternAttack Pattern Sniffing Information Sent Over Public/multicast Networks - (158)
Attack PatternAttack Pattern SOAP Array Overflow - (256)
Attack PatternAttack Pattern Soap Manipulation - (279)
Attack PatternAttack Pattern SOAP Parameter Tampering - (280)
Attack PatternAttack Pattern Software Integrity Attacks - (184)
Attack PatternAttack Pattern Software Reverse Engineering - (189)
Attack PatternAttack Pattern Spear Phishing - (163)
CategoryCategory Spoofing - (156)
Attack PatternAttack Pattern Spoofing of UDDI/ebXML Messages - (218)
Attack PatternAttack Pattern SQL Injection - (66)
Attack PatternAttack Pattern SQL Injection through SOAP Parameter Tampering - (110)
ViewView Standard Abstractions - (283)
Attack PatternAttack Pattern String Format Overflow in syslog() - (67)
Attack PatternAttack Pattern Subversion of authorization checks: cache filtering, programmatic security, etc. - (239)
Attack PatternAttack Pattern Subvert Code-signing Facilities - (68)
Attack PatternAttack Pattern Subverting Environment Variable Values - (13)
Attack PatternAttack Pattern Symlink Attacks - (132)
Attack PatternAttack Pattern Target Programs with Elevated Privileges - (69)
Attack PatternAttack Pattern TCP ACK Ping - (297)
Attack PatternAttack Pattern TCP ACK Scan - (305)
Attack PatternAttack Pattern TCP Connect Scan - (301)
Attack PatternAttack Pattern TCP FIN scan - (302)
Attack PatternAttack Pattern TCP Null Scan - (304)
Attack PatternAttack Pattern TCP RPC Scan - (307)
Attack PatternAttack Pattern TCP SYN Ping - (299)
Attack PatternAttack Pattern TCP SYN Scan - (287)
Attack PatternAttack Pattern TCP Window Scan - (306)
Attack PatternAttack Pattern TCP Xmas Scan - (303)
CategoryCategory Time and State Attacks - (172)
Attack PatternAttack Pattern Traceroute Route Enumeration - (293)
Attack PatternAttack Pattern Try All Common Application Switches and Options - (133)
Attack PatternAttack Pattern Try Common(default) Usernames and Passwords - (70)
Attack PatternAttack Pattern UDP Ping - (298)
Attack PatternAttack Pattern UDP Scan - (308)
Attack PatternAttack Pattern URL Encoding - (72)
Attack PatternAttack Pattern User-Controlled Filename - (73)
Attack PatternAttack Pattern Using Alternative IP Address Encodings - (4)
Attack PatternAttack Pattern Using Escaped Slashes in Alternate Encoding - (78)
Attack PatternAttack Pattern Using Leading 'Ghost' Character Sequences to Bypass Input Filters - (3)
Attack PatternAttack Pattern Using Meta-characters in E-mail Headers to Inject Malicious Payloads - (41)
Attack PatternAttack Pattern Using Slashes and URL Encoding Combined to Bypass Validation Logic - (64)
Attack PatternAttack Pattern Using Slashes in Alternate Encoding - (79)
Attack PatternAttack Pattern Using Unicode Encoding to Bypass Validation Logic - (71)
Attack PatternAttack Pattern Using Unpublished Web Service APIs - (36)
Attack PatternAttack Pattern Using URL/codebase / G.A.C. (code source) to convince sandbox of privilege - (238)
Attack PatternAttack Pattern Using UTF-8 Encoding to Bypass Validation Logic - (80)
Attack PatternAttack Pattern Utilizing REST's Trust in the System Resource to Register Man in the Middle - (57)
Attack PatternAttack Pattern Variable Manipulation - (171)
Attack PatternAttack Pattern Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS)) - (82)
Attack PatternAttack Pattern Web Logs Tampering - (81)
Attack PatternAttack Pattern Web Server/Application Fingerprinting - (170)
CategoryCategory Web Services Protocol Manipulation - (278)
Attack PatternAttack Pattern Windows ::DATA Alternate Data Stream - (168)
Attack PatternAttack Pattern WSDL Scanning - (95)
Attack PatternAttack Pattern XEE (XML Entity Expansion) - (197)
Attack PatternAttack Pattern XML Attribute Blowup - (229)
Attack PatternAttack Pattern XML Injection - (250)
Attack PatternAttack Pattern XML Parser Attack - (99)
Attack PatternAttack Pattern XML Ping of Death - (147)
Attack PatternAttack Pattern XML Routing Detour Attacks - (219)
Attack PatternAttack Pattern XML Schema Poisoning - (146)
Attack PatternAttack Pattern XPath Injection - (83)
Attack PatternAttack Pattern XQuery Injection - (84)
Attack PatternAttack Pattern XSS in IMG Tags - (91)
Page Last Updated: September 22, 2009
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.

Contact capec@mitre.org for more information.
Privacy policy
Terms of use
Contact us