New to CAPEC? Start Here
Home > CAPEC List > Reports > Differences between 2.10 and 2.11 Content  

Differences between 2.10 and 2.11 Content

Summary

Total (2.11) (not including Deprecated) 566
Total (2.10) (not including Deprecated) 568
Attack Patterns
New Patterns Added 3
Existing Patterns Modified with Enhanced Material 138
Patterns Deprecated 5
Categories
Existing Categories Modified with Enhanced Material 25
CAPEC -> CWE Mappings
CAPEC -> CWE Mappings Added 3
CAPEC -> CWE Mappings Removed 7

Summary of Entry Types

Type 2.10 2.11
Views 9 9
Categories 49 49
Attack Patterns 510 508
Deprecated 55 60

Back to top

Attack Pattern Changes

New Patterns Added
CAPEC-630 TypoSquatting
CAPEC-631 SoundSquatting
CAPEC-632 Homograph Attack via Homoglyphs

Existing Patterns Modified with Enhanced Material
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-4 Using Alternative IP Address Encodings
CAPEC-7 Blind SQL Injection
CAPEC-11 Cause Web Server Misclassification
CAPEC-19 Embedding Scripts within Scripts
CAPEC-23 File Content Injection
CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
CAPEC-30 Hijacking a Privileged Thread of Execution
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-32 XSS Through HTTP Query Strings
CAPEC-33 HTTP Request Smuggling
CAPEC-34 HTTP Response Splitting
CAPEC-36 Using Unpublished APIs
CAPEC-40 Manipulating Writeable Terminal Devices
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-48 Passing Local Filenames to Functions That Expect a URL
CAPEC-49 Password Brute Forcing
CAPEC-59 Session Credential Falsification through Prediction
CAPEC-61 Session Fixation
CAPEC-62 Cross Site Request Forgery
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-66 SQL Injection
CAPEC-70 Try Common or Default Usernames and Passwords
CAPEC-83 XPath Injection
CAPEC-87 Forceful Browsing
CAPEC-89 Pharming
CAPEC-94 Man in the Middle Attack
CAPEC-100 Overflow Buffers
CAPEC-101 Server Side Include (SSI) Injection
CAPEC-102 Session Sidejacking
CAPEC-103 Clickjacking
CAPEC-104 Cross Zone Scripting
CAPEC-105 HTTP Request Splitting
CAPEC-107 Cross Site Tracing
CAPEC-108 Command Line Execution through SQL Injection
CAPEC-109 Object Relational Mapping Injection
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)
CAPEC-112 Brute Force
CAPEC-115 Authentication Bypass
CAPEC-120 Double Encoding
CAPEC-122 Privilege Abuse
CAPEC-124 Shared Data Manipulation
CAPEC-127 Directory Indexing
CAPEC-128 Integer Attacks
CAPEC-129 Pointer Manipulation
CAPEC-130 Excessive Allocation
CAPEC-131 Resource Leak Exposure
CAPEC-132 Symlink Attack
CAPEC-133 Try All Common Switches
CAPEC-134 Email Injection
CAPEC-135 Format String Injection
CAPEC-137 Parameter Injection
CAPEC-138 Reflection Injection
CAPEC-139 Relative Path Traversal
CAPEC-140 Bypassing of Intermediate Forms in Multiple-Form Sets
CAPEC-142 DNS Cache Poisoning
CAPEC-145 Checksum Spoofing
CAPEC-148 Content Spoofing
CAPEC-149 Explore for Predictable Temporary File Names
CAPEC-150 Collect Data from Common Resource Locations
CAPEC-151 Identity Spoofing
CAPEC-153 Input Data Manipulation
CAPEC-154 Resource Location Spoofing
CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-158 Sniffing Network Traffic
CAPEC-160 Exploit Script-Based APIs
CAPEC-162 Manipulating Hidden Fields
CAPEC-163 Spear Phishing
CAPEC-165 File Manipulation
CAPEC-166 Force the System to Reset Values
CAPEC-168 Windows ::DATA Alternate Data Stream
CAPEC-170 Web Application Fingerprinting
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-182 Flash Injection
CAPEC-183 IMAP/SMTP Command Injection
CAPEC-187 Malicious Automated Software Update
CAPEC-191 Read Sensitive Strings Within an Executable
CAPEC-193 PHP Remote File Inclusion
CAPEC-195 Principal Spoof
CAPEC-197 XML Entity Expansion
CAPEC-198 XSS Targeting Error Pages
CAPEC-200 Removal of filters: Input filters, output filters, data masking
CAPEC-201 XML Entity Blowup
CAPEC-203 Manipulate Application Registry Values
CAPEC-206 Lifting signing key and signing malicious code from a production environment
CAPEC-208 Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
CAPEC-219 XML Routing Detour Attacks
CAPEC-221 XML External Entities
CAPEC-222 iFrame Overlay
CAPEC-228 DTD Injection
CAPEC-229 XML Attribute Blowup
CAPEC-234 Hijacking a privileged process
CAPEC-236 Catching exception throw/signal from privileged block
CAPEC-237 Calling Signed Code From Another Language Within A Sandbox Allow This
CAPEC-247 XSS Using Invalid Characters
CAPEC-250 XML Injection
CAPEC-251 Local Code Inclusion
CAPEC-256 SOAP Array Overflow
CAPEC-273 HTTP Response Smuggling
CAPEC-275 DNS Rebinding
CAPEC-285 ICMP Echo Request Ping
CAPEC-294 ICMP Address Mask Request
CAPEC-295 ICMP Timestamp Request
CAPEC-296 ICMP Information Request
CAPEC-406 Dumpster Diving
CAPEC-407 Pretexting
CAPEC-410 Information Elicitation
CAPEC-412 Pretexting via Customer Service
CAPEC-413 Pretexting via Tech Support
CAPEC-414 Pretexting via Delivery Person
CAPEC-415 Pretexting via Phone
CAPEC-416 Manipulate Human Behavior
CAPEC-417 Influence Perception
CAPEC-418 Influence Perception of Reciprocation
CAPEC-420 Influence Perception of Scarcity
CAPEC-421 Influence Perception of Authority
CAPEC-422 Influence Perception of Commitment and Consistency
CAPEC-423 Influence Perception of Liking
CAPEC-424 Influence Perception of Consensus or Social Proof
CAPEC-425 Target Influence via Framing
CAPEC-426 Influence via Incentives
CAPEC-427 Influence via Psychological Principles
CAPEC-429 Target Influence via Eye Cues
CAPEC-463 Padding Oracle Crypto Attack
CAPEC-491 XML Quadratic Expansion
CAPEC-506 Tapjacking
CAPEC-546 Probe Application Memory
CAPEC-588 DOM-Based XSS
CAPEC-590 IP Address Blocking
CAPEC-591 Reflected XSS
CAPEC-592 Stored XSS
CAPEC-603 Blockage
CAPEC-604 Wi-Fi Jamming
CAPEC-610 Cellular Data Injection
CAPEC-611 BitSquatting
CAPEC-624 Fault Injection

Patterns Deprecated
CAPEC-404 DEPRECATED: Social Information Gathering Attacks
CAPEC-405 DEPRECATED: Social Information Gathering via Research
CAPEC-408 DEPRECATED: Information Gathering from Traditional Sources
CAPEC-409 DEPRECATED: Information Gathering from Non-Traditional Sources
CAPEC-419 DEPRECATED: Target Influence via Perception of Concession
Back to top

Category Changes

New Categories Added

Existing Categories Modified with Enhanced Material
CAPEC-118 Collect and Analyze Information
CAPEC-210 Abuse Existing Functionality
CAPEC-339 WASC-06 - Format String
CAPEC-340 WASC-07 - Buffer Overflow
CAPEC-342 WASC-09 - Cross-Site Request Forgery
CAPEC-344 WASC-11 - Brute Force
CAPEC-345 WASC-12 - Content Spoofing
CAPEC-351 WASC-18 - Credential/Session Prediction
CAPEC-357 WASC-24 - HTTP Request Splitting
CAPEC-358 WASC-25 - HTTP Response Splitting
CAPEC-359 WASC-26 - HTTP Request Smuggling
CAPEC-360 WASC-27 - HTTP Response Smuggling
CAPEC-361 WASC-28 - Null Byte Injection
CAPEC-362 WASC-29 - LDAP Injection
CAPEC-363 WASC-30 - Mail Command Injection
CAPEC-365 WASC-32 - Routing Detour
CAPEC-367 WASC-34 - Predictable Resource Location
CAPEC-368 WASC-35 - SOAP Array Abuse
CAPEC-371 WASC-38 - URL Redirector Abuse
CAPEC-374 WASC-41 - XML Attribute Blowup
CAPEC-375 WASC-42 - Abuse of Functionality
CAPEC-376 WASC-43 - XML External Entities
CAPEC-377 WASC-44 - XML Entity Expansion
CAPEC-378 WASC-45 - Fingerprinting
CAPEC-403 Social Engineering

Categories Deprecated
Back to top

View Changes

Views Added

Existing Views Modified with Enhanced Material

Views Deprecated
Back to top

Mapping Changes

CAPEC --> CWE Mappings Added
CAPEC-103 Clickjacking
  --> CWE-1021
CAPEC-115 Authentication Bypass
  --> CWE-287 Improper Authentication
CAPEC-506 Tapjacking
  --> CWE-1021

CAPEC --> CWE Mappings Removed
CAPEC-103 Clickjacking
  --> CWE-693 Protection Mechanism Failure
CAPEC-115 Authentication Bypass
  --> CWE-592 DEPRECATED: Authentication Bypass Issues
CAPEC-213 DEPRECATED: Directory Traversal
  --> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  --> CWE-893 SFP Primary Cluster: Path Resolution
CAPEC-258 DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update
  --> CWE-311 Missing Encryption of Sensitive Data
CAPEC-259 DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching
  --> CWE-311 Missing Encryption of Sensitive Data
CAPEC-260 DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Initial Distribution
  --> CWE-311 Missing Encryption of Sensitive Data

CAPEC --> CAPEC Mappings Added

CAPEC --> CAPEC Mappings Removed
Back to top
More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017
 

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. CAPEC is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2007–2024, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.