Home > CAPEC List > Reports > Differences between 1.2 and 1.3 Content  

Differences between 1.2 and 1.3 Content

CAPEC Version 1.3 has been posted on the CAPEC List page. This new version contains a great deal of improvement and refinement to existing CAPEC content as well as addition of a significant amount of new and useful content.

Highlights for this version include: clean-up of content accuracy, clarity and consistency across a broad set of the existing content; updated and refined mapping of attack patterns to relevant entries in the Common Weakness Enumeration (CWE™); addition of 11 newly authored full attack patterns; update of 16 existing patterns with enhanced "attack flow" descriptions (bringing the total of such enhanced patterns to 41); addition of 71 newly authored attack pattern stubs (from the CAPEC Attack Taxonomy) consisting of an assigned CAPEC-ID number and a minimal set of pattern content (Description, Attack_Prerequisites, Typical_Severity, Resources_Required) to enable identification and discrimination of each pattern; minor modification of the CAPEC schema in the addition of a Pattern_Completeness attribute for each pattern to allow easy discrimination between attack pattern stubs and full attack patterns; and clean-up, refinement, and additions to the CAPEC Attack Taxonomy.

The new and enhanced patterns for this version are listed below.

Newly added full attack patterns:

CAPEC-102 - Session Sidejacking
CAPEC-103 - Clickjacking
CAPEC-104 - Cross Zone Scripting
CAPEC-105 - HTTP Request Splitting
CAPEC-106 - Cross Site Scripting through Log Files
CAPEC-107 - Cross Site Tracing
CAPEC-108 - Command Line Execution through SQL Injection
CAPEC-109 - Object Relational Mapping Injection
CAPEC-110 - SQL Injection through SOAP Parameter Tampering
CAPEC-111 - JSON Hijacking (aka JavaScript Hijacking)
CAPEC-112 - Brute Force

Updated attack patterns with enhanced "attack flow" descriptions:

CAPEC-6 - Argument Injection
CAPEC-11 - Cause Web Server Misclassification
CAPEC-86 - Embedding Script (XSS ) in HTTP Headers
CAPEC-32 - Embedding Scripts in HTTP Query Strings
CAPEC-18 - Embedding Scripts in Nonscript Elements
CAPEC-19 - Embedding Scripts within Scripts
CAPEC-33 - HTTP Request Smuggling
CAPEC-34 - HTTP Response Splitting
CAPEC-76 - Manipulating Input to File System Calls
CAPEC-63 - Simple Script Injection
CAPEC-41 - Using Meta-characters in E-mail Headers to Inject Malicious Payloads
CAPEC-71 - Using Unicode Encoding to Bypass Validation Logic
CAPEC-80 - Using UTF-8 Encoding to Bypass Validation Logic
CAPEC-81 - Web Logs Tampering
CAPEC-84 - XQuery Injection
CAPEC-91 - XSS in IMG Tags

New attack pattern stubs:

CAPEC-113 - API Abuse/Misuse
CAPEC-114 - Authentication Abuse
CAPEC-115 - Authentication Bypass
CAPEC-116 - Data Excavation Attacks
CAPEC-117 - Data Interception Attacks
CAPEC-118 - Data Leakage Attacks
CAPEC-119 - Resource Depletion
CAPEC-120 - Double Encoding
CAPEC-121 - Locate and Exploit Test APIs
CAPEC-122 - Exploitation of Authorization
CAPEC-123 - Buffer Attacks
CAPEC-124 - Attack through Shared Data
CAPEC-125 - Resource Depletion through Flooding
CAPEC-126 - Path Traversal
CAPEC-127 - Directory Indexing
CAPEC-128 - Integer Attacks
CAPEC-129 - Pointer Attack
CAPEC-130 - Resource Depletion through Allocation
CAPEC-131 - Resource Depletion through Leak
CAPEC-132 - Symlink Attacks
CAPEC-133 - Try All Common Application Switches and Options
CAPEC-134 - Email Injection
CAPEC-135 - Format String Injection
CAPEC-136 - LDAP Injection
CAPEC-137 - Parameter Injection
CAPEC-138 - Reflection Injection
CAPEC-139 - Relative Path Traversal
CAPEC-140 - Bypassing of Intermediate Forms in Multiple-Form Sets
CAPEC-141 - Cache Poisoning
CAPEC-142 - DNS Cache Poisoning
CAPEC-143 - Detect Unpublicised Web Pages
CAPEC-144 - Detect Unpublicised Web Services
CAPEC-145 - Checksum Spoofing
CAPEC-146 - XML Schema Poisoning
CAPEC-147 - XML Ping of Death
CAPEC-148 - Content Spoofing
CAPEC-149 - Explore for predictable temporary file names
CAPEC-150 - Common resource location exploration
CAPEC-151 - Identity Spoofing (Impersonation)
CAPEC-152 - Injection (Injecting Control Plane content through the Data Plane)
CAPEC-153 - Input Data Manipulation
CAPEC-154 - Resource Location Attacks
CAPEC-155 - Screen Temporary Files for Sensitive Information
CAPEC-156 - Spoofing
CAPEC-157 - Sniffing Attacks
CAPEC-158 - Sniffing Information Sent Over Public/multicast Networks
CAPEC-159 - Redirect Access to Libraries
CAPEC-160 - Programming to included script-based APIs
CAPEC-161 - Infrastructure Manipulation
CAPEC-162 - Manipulating hidden fields to change the normal flow of transactions (eShoplifting)
CAPEC-163 - Spear Phishing
CAPEC-164 - Mobile Phishing (aka MobPhishing)
CAPEC-165 - File Manipulation
CAPEC-166 - Force the System to Reset Values
CAPEC-167 - Lifting Sensitive Data from the Client
CAPEC-168 - Windows ::DATA Alternate Data Stream
CAPEC-169 - Footprinting
CAPEC-170 - Web Server/Application Fingerprinting
CAPEC-171 - Variable Manipulation
CAPEC-172 - Time and State Attacks
CAPEC-173 - Action Spoofing
CAPEC-174 - Flash Parameter Injection
CAPEC-175 - Code Inclusion
CAPEC-176 - Configuration/Environment manipulation
CAPEC-177 - Create files with the same name as files protected with a higher classification
CAPEC-178 - Cross-Site Flashing
CAPEC-179 - Discovering, querying, and finally calling micro-services, such as w/ AJAX
CAPEC-180 - Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-181 - Flash File Overlay
CAPEC-182 - Flash Injection
CAPEC-183 - IMAP/SMTP Command Injection

More information is available — Please select a different filter.
Page Last Updated or Reviewed: March 30, 2010