Home > CAPEC List > Reports > Differences between 2.7 and 2.8 Content  

Differences between 2.7 and 2.8 Content

Total (2.8) 604
Total (2.7) 603
Attack Patterns
New Patterns Added 3
Existing Patterns Modified with Enhanced Material 53
Patterns Deprecated 4
Existing Categories Modified with Enhanced Material 2
CAPEC -> CWE Mappings
CAPEC -> CWE Mappings Removed 3

Summary of Entry Types

Type 2.7 2.8
Views 9 9
Categories 57 56
Attack Patterns 505 504
Deprecated 32 35

Attack Pattern Changes
Attack Pattern Changes
New Patterns Added
CAPEC-157 Sniffing Attacks
CAPEC-233 Privilege Escalation
CAPEC-554 Functionality Bypass

Existing Patterns Modified with Enhanced Material
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-12 Choosing Message Identifier
CAPEC-17 Accessing, Modifying or Executing Executable Files
CAPEC-22 Exploiting Trust in Client
CAPEC-23 File Content Injection
CAPEC-32 Embedding Scripts in HTTP Query Strings
CAPEC-35 Leverage Executable Code in Non-Executable Files
CAPEC-36 Using Unpublished APIs
CAPEC-44 Overflow Binary Resource File
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-48 Passing Local Filenames to Functions That Expect a URL
CAPEC-58 Restful Privilege Elevation
CAPEC-62 Cross Site Request Forgery (aka Session Riding)
CAPEC-65 Sniff Application Code
CAPEC-75 Manipulating Writeable Configuration Files
CAPEC-87 Forceful Browsing
CAPEC-89 Pharming
CAPEC-95 WSDL Scanning
CAPEC-104 Cross Zone Scripting
CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)
CAPEC-113 API Manipulation
CAPEC-122 Privilege Abuse
CAPEC-133 Try All Common Switches
CAPEC-139 Relative Path Traversal
CAPEC-141 Cache Poisoning
CAPEC-143 Detect Unpublicized Web Pages
CAPEC-144 Detect Unpublicized Web Services
CAPEC-150 Collect Data from Common Resource Locations
CAPEC-157 Sniffing Attacks
CAPEC-158 Sniffing Network Traffic
CAPEC-160 Exploit Script-Based APIs
CAPEC-162 Manipulating Hidden Fields
CAPEC-170 Web Application Fingerprinting
CAPEC-179 Calling Micro-Services Directly
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-200 Removal of filters: Input filters, output filters, data masking
CAPEC-207 Removing Important Client Functionality
CAPEC-208 Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
CAPEC-212 Functionality Misuse
CAPEC-213 Directory Traversal
CAPEC-216 Communication Channel Manipulation
CAPEC-217 Exploiting Incorrectly Configured SSL
CAPEC-233 Privilege Escalation
CAPEC-239 Subversion of authorization checks: cache filtering, programmatic security, etc.
CAPEC-240 Resource Injection
CAPEC-310 Scanning for Vulnerable Software
CAPEC-464 Evercookie
CAPEC-465 Transparent Proxy Abuse
CAPEC-468 Generic Cross-Browser Cross-Domain Theft
CAPEC-545 Pull Data from System Resources
CAPEC-560 Use of Known Domain Credentials
CAPEC-609 Cellular Traffic Intercept
CAPEC-620 Drop Encryption Level

Patterns Deprecated
CAPEC-211 Leveraging web tools (e.g. Mozilla's GreaseMonkey, Firebug) to change application behavior
CAPEC-241 Code Injection
CAPEC-56 Removing/short-circuiting 'guard logic'
CAPEC-602 Degradation
Category Changes
Category Changes
New Categories Added

Existing Categories Modified with Enhanced Material
CAPEC-210 Abuse of Functionality
CAPEC-232 Exploitation of Authorization

Categories Deprecated
View Changes
View Changes
Views Added

Existing Views Modified with Enhanced Material

Views Deprecated
Mapping Changes
Mapping Changes
CAPEC --> CWE Mappings Added

CAPEC --> CWE Mappings Removed
CAPEC-232 Exploitation of Authorization
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-732 Incorrect Permission Assignment for Critical Resource
  --> CWE-807 Reliance on Untrusted Inputs in a Security Decision

CAPEC --> CAPEC Mappings Added

CAPEC --> CAPEC Mappings Removed

More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 28, 2016