Home > CAPEC List > Reports > Differences between 2.9 and 2.10 Content  

Differences between 2.9 and 2.10 Content

Summary
Summary
Total (2.10) 623
Total (2.9) 609
Attack Patterns
New Patterns Added 14
Existing Patterns Modified with Enhanced Material 88
Patterns Deprecated 7
Categories
Existing Categories Modified with Enhanced Material 3
CAPEC -> CWE Mappings
CAPEC -> CWE Mappings Added 27
CAPEC -> CWE Mappings Removed 118

Summary of Entry Types

Type 2.9 2.10
Views 9 9
Categories 49 49
Attack Patterns 503 510
Deprecated 48 55

Attack Pattern Changes
Attack Pattern Changes
New Patterns Added
CAPEC-559 Orbital Jamming
CAPEC-582 Route Disabling
CAPEC-583 Disabling Network Hardware
CAPEC-584 BGP Route Disabling
CAPEC-585 DNS Domain Seizure
CAPEC-586 Object Injection
CAPEC-587 Cross Frame Scripting (XFS)
CAPEC-588 DOM-Based XSS
CAPEC-589 DNS Blocking
CAPEC-590 IP Address Blocking
CAPEC-591 Reflected XSS
CAPEC-592 Stored XSS
CAPEC-593 Session Hijacking
CAPEC-599 Terrestrial Jamming

Existing Patterns Modified with Enhanced Material
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-17 Accessing, Modifying or Executing Executable Files
CAPEC-18 XSS Targeting Non-Script Elements
CAPEC-19 Embedding Scripts within Scripts
CAPEC-25 Forced Deadlock
CAPEC-26 Leveraging Race Conditions
CAPEC-32 XSS Through HTTP Query Strings
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-60 Reusing Session IDs (aka Session Replay)
CAPEC-61 Session Fixation
CAPEC-62 Cross Site Request Forgery
CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-73 User-Controlled Filename
CAPEC-74 Manipulating User State
CAPEC-81 Web Logs Tampering
CAPEC-86 XSS Through HTTP Headers
CAPEC-89 Pharming
CAPEC-93 Log Injection-Tampering-Forging
CAPEC-102 Session Sidejacking
CAPEC-107 Cross Site Tracing
CAPEC-113 API Manipulation
CAPEC-116 Excavation
CAPEC-117 Interception
CAPEC-125 Flooding
CAPEC-130 Excessive Allocation
CAPEC-131 Resource Leak Exposure
CAPEC-137 Parameter Injection
CAPEC-139 Relative Path Traversal
CAPEC-148 Content Spoofing
CAPEC-151 Identity Spoofing
CAPEC-154 Resource Location Spoofing
CAPEC-169 Footprinting
CAPEC-170 Web Application Fingerprinting
CAPEC-173 Action Spoofing
CAPEC-174 Flash Parameter Injection
CAPEC-175 Code Inclusion
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-182 Flash Injection
CAPEC-188 Reverse Engineering
CAPEC-192 Protocol Analysis
CAPEC-195 Principal Spoof
CAPEC-198 XSS Targeting Error Pages
CAPEC-199 XSS Using Alternate Syntax
CAPEC-209 XSS Using MIME Type Mismatch
CAPEC-212 Functionality Misuse
CAPEC-216 Communication Channel Manipulation
CAPEC-224 Fingerprinting
CAPEC-240 Resource Injection
CAPEC-242 Code Injection
CAPEC-243 XSS Targetting HTML Attributes
CAPEC-244 XSS Targeting URI Placeholders
CAPEC-245 XSS Using Doubled Characters
CAPEC-247 XSS Using Invalid Characters
CAPEC-248 Command Injection
CAPEC-275 DNS Rebinding
CAPEC-312 Active OS Fingerprinting
CAPEC-313 Passive OS Fingerprinting
CAPEC-317 IP ID Sequencing Probe
CAPEC-318 IP 'ID' Echoed Byte-Order Probe
CAPEC-319 IP (DF) 'Don't Fragment Bit' Echoing Probe
CAPEC-320 TCP Timestamp Probe
CAPEC-321 TCP Sequence Number Probe
CAPEC-322 TCP (ISN) Greatest Common Divisor Probe
CAPEC-323 TCP (ISN) Counter Rate Probe
CAPEC-324 TCP (ISN) Sequence Predictability Probe
CAPEC-325 TCP Congestion Control Flag (ECN) Probe
CAPEC-326 TCP Initial Window Size Probe
CAPEC-327 TCP Options Probe
CAPEC-328 TCP 'RST' Flag Checksum Probe
CAPEC-329 ICMP Error Message Quoting Probe
CAPEC-330 ICMP Error Message Echoing Integrity Probe
CAPEC-331 ICMP IP Total Length Field Probe
CAPEC-332 ICMP IP 'ID' Field Error Message Probe
CAPEC-416 Target Influence via Social Engineering
CAPEC-428 Target Influence via Modes of Thinking
CAPEC-459 Creating a Rogue Certification Authority Certificate
CAPEC-475 Signature Spoofing by Improper Validation
CAPEC-506 Tapjacking
CAPEC-543 Counterfeit Websites
CAPEC-549 Local Execution of Code
CAPEC-550 Install New Service
CAPEC-594 Traffic Injection
CAPEC-601 Jamming
CAPEC-616 Establish Rogue Location
CAPEC-624 Fault Injection
CAPEC-627 Counterfeit GPS Signals
CAPEC-628 Carry-Off GPS Attack

Patterns Deprecated
CAPEC-106 DEPRECATED: XSS through Log Files
CAPEC-246 DEPRECATED: XSS Using Flash
CAPEC-311 DEPRECATED: OS Fingerprinting
CAPEC-314 DEPRECATED: IP Fingerprinting Probes
CAPEC-315 DEPRECATED: TCP/IP Fingerprinting Probes
CAPEC-316 DEPRECATED: ICMP Fingerprinting Probes
CAPEC-91 DEPRECATED: XSS in IMG Tags
Category Changes
Category Changes
New Categories Added

Existing Categories Modified with Enhanced Material
CAPEC-152 Inject Unexpected Items
CAPEC-341 WASC-08 - Cross-Site Scripting
CAPEC-370 WASC-37 - Session Fixation

Categories Deprecated
View Changes
View Changes
Views Added

Existing Views Modified with Enhanced Material

Views Deprecated
Mapping Changes
Mapping Changes
CAPEC --> CWE Mappings Added
CAPEC-25 Forced Deadlock
  --> CWE-667 Improper Locking
  --> CWE-833 Deadlock
CAPEC-32 XSS Through HTTP Query Strings
  --> CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CAPEC-81 Web Logs Tampering
  --> CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CAPEC-86 XSS Through HTTP Headers
  --> CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CAPEC-89 Pharming
  --> CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
CAPEC-93 Log Injection-Tampering-Forging
  --> CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CAPEC-113 API Manipulation
  --> CWE-227 Improper Fulfillment of API Contract ('API Abuse')
CAPEC-116 Excavation
  --> CWE-200 Information Exposure
CAPEC-117 Interception
  --> CWE-200 Information Exposure
CAPEC-148 Content Spoofing
  --> CWE-345 Insufficient Verification of Data Authenticity
CAPEC-151 Identity Spoofing
  --> CWE-287 Improper Authentication
CAPEC-175 Code Inclusion
  --> CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CAPEC-209 XSS Using MIME Type Mismatch
  --> CWE-20 Improper Input Validation
CAPEC-224 Fingerprinting
  --> CWE-200 Information Exposure
CAPEC-240 Resource Injection
  --> CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
CAPEC-242 Code Injection
  --> CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC-248 Command Injection
  --> CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC-275 DNS Rebinding
  --> CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
CAPEC-588 DOM-Based XSS
  --> CWE-20 Improper Input Validation
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-591 Reflected XSS
  --> CWE-20 Improper Input Validation
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-592 Stored XSS
  --> CWE-20 Improper Input Validation
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-593 Session Hijacking
  --> CWE-287 Improper Authentication
CAPEC-616 Establish Rogue Location
  --> CWE-200 Information Exposure

CAPEC --> CWE Mappings Removed
CAPEC-18 Embedding Scripts in Non-Script Elements
  --> CWE-20 Improper Input Validation
  --> CWE-71 Apple '.DS_Store'
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
  --> CWE-83 Improper Neutralization of Script in Attributes in a Web Page
  --> CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page
  --> CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  --> CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
  --> CWE-116 Improper Encoding or Escaping of Output
  --> CWE-184 Incomplete Blacklist
  --> CWE-348 Use of Less Trusted Source
  --> CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-19 Embedding Scripts within Scripts
  --> CWE-71 Apple '.DS_Store'
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-276 Incorrect Default Permissions
  --> CWE-279 Incorrect Execution-Assigned Permissions
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-32 Embedding Scripts in HTTP Query Strings
  --> CWE-20 Improper Input Validation
  --> CWE-71 Apple '.DS_Store'
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page
  --> CWE-85 Doubled Character XSS Manipulations
  --> CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-56 Removing/short-circuiting 'guard logic'
  --> CWE-288 Authentication Bypass Using an Alternate Path or Channel
  --> CWE-372 Incomplete Internal State Distinction
  --> CWE-510 Trapdoor
  --> CWE-693 Protection Mechanism Failure
  --> CWE-721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
CAPEC-63 Simple Script Injection
  --> CWE-71 Apple '.DS_Store'
  --> CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  --> CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
  --> CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
  --> CWE-116 Improper Encoding or Escaping of Output
  --> CWE-184 Incomplete Blacklist
  --> CWE-348 Use of Less Trusted Source
  --> CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
  --> CWE-602 Client-Side Enforcement of Server-Side Security
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-81 Web Logs Tampering
  --> CWE-92 DEPRECATED: Improper Sanitization of Custom Special Characters
CAPEC-86 Embedding Script (XSS) in HTTP Headers
  --> CWE-20 Improper Input Validation
  --> CWE-71 Apple '.DS_Store'
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  --> CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
  --> CWE-116 Improper Encoding or Escaping of Output
  --> CWE-184 Incomplete Blacklist
  --> CWE-348 Use of Less Trusted Source
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-89 Pharming
  --> CWE-247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision
  --> CWE-292 DEPRECATED (Duplicate): Trusting Self-reported DNS Name
CAPEC-91 XSS in IMG Tags
  --> CWE-20 Improper Input Validation
  --> CWE-71 Apple '.DS_Store'
  --> CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-93 Log Injection-Tampering-Forging
  --> CWE-92 DEPRECATED: Improper Sanitization of Custom Special Characters
CAPEC-106 Cross Site Scripting through Log Files
  --> CWE-20 Improper Input Validation
  --> CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-117 Improper Output Neutralization for Logs
CAPEC-113 API Manipulation
  --> CWE-676 Use of Potentially Dangerous Function
CAPEC-117 Interception
  --> CWE-311 Missing Encryption of Sensitive Data
CAPEC-119 Deplete Resources
  --> CWE-404 Improper Resource Shutdown or Release
  --> CWE-770 Allocation of Resources Without Limits or Throttling
CAPEC-169 Footprinting
  --> CWE-202 Exposure of Sensitive Data Through Data Queries
  --> CWE-276 Incorrect Default Permissions
  --> CWE-311 Missing Encryption of Sensitive Data
  --> CWE-312 Cleartext Storage of Sensitive Information
  --> CWE-319 Cleartext Transmission of Sensitive Information
  --> CWE-497 Exposure of System Data to an Unauthorized Control Sphere
  --> CWE-538 File and Directory Information Exposure
CAPEC-171 Variable Manipulation
  --> CWE-20 Improper Input Validation
  --> CWE-471 Modification of Assumed-Immutable Data (MAID)
CAPEC-198 Cross-Site Scripting in Error Pages
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-199 Cross-Site Scripting Using Alternate Syntax
  --> CWE-20 Improper Input Validation
  --> CWE-71 Apple '.DS_Store'
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-85 Doubled Character XSS Manipulations
  --> CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-205 Lifting credential(s)/key material embedded in client distributions (thick or thin)
  --> CWE-259 Use of Hard-coded Password
  --> CWE-522 Insufficiently Protected Credentials
CAPEC-209 Cross-Site Scripting Using MIME Type Mismatch
  --> CWE-345 Insufficient Verification of Data Authenticity
CAPEC-224 Fingerprinting
  --> CWE-208 Information Exposure Through Timing Discrepancy
CAPEC-243 Cross-Site Scripting in Attributes
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-244 Cross-Site Scripting via Encoded URI Schemes
  --> CWE-20 Improper Input Validation
  --> CWE-71 Apple '.DS_Store'
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  --> CWE-85 Doubled Character XSS Manipulations
  --> CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
  --> CWE-692 Incomplete Blacklist to Cross-Site Scripting
  --> CWE-697 Insufficient Comparison
  --> CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
CAPEC-245 Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-246 Cross-Site Scripting Using Flash
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-247 Cross-Site Scripting with Masking through Invalid Characters in Identifiers
  --> CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-264 Environment Variable Manipulation
  --> CWE-20 Improper Input Validation
  --> CWE-471 Modification of Assumed-Immutable Data (MAID)
CAPEC-265 Global variable manipulation
  --> CWE-20 Improper Input Validation
  --> CWE-471 Modification of Assumed-Immutable Data (MAID)
CAPEC-275 DNS Rebinding
  --> CWE-247 DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision

CAPEC --> CAPEC Mappings Added

CAPEC --> CAPEC Mappings Removed
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017