New to CAPEC? Start Here
Home > CAPEC List > Reports > Differences between 2.10 and 2.11 Content  

Differences between 2.10 and 2.11 Content

Summary

Total (2.11) (not including Deprecated) 566
Total (2.10) (not including Deprecated) 568
Attack Patterns
New Patterns Added 3
Existing Patterns Modified with Enhanced Material 138
Patterns Deprecated 5
Categories
Existing Categories Modified with Enhanced Material 25
CAPEC -> CWE Mappings
CAPEC -> CWE Mappings Added 3
CAPEC -> CWE Mappings Removed 7

Summary of Entry Types

Type 2.10 2.11
Views 9 9
Categories 49 49
Attack Patterns 510 508
Deprecated 55 60

Back to top

Attack Pattern Changes

New Patterns Added
CAPEC-630 TypoSquatting
CAPEC-631 SoundSquatting
CAPEC-632 Homograph Attack via Homoglyphs

Existing Patterns Modified with Enhanced Material
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-4 Using Alternative IP Address Encodings
CAPEC-7 Blind SQL Injection
CAPEC-11 Cause Web Server Misclassification
CAPEC-19 Embedding Scripts within Scripts
CAPEC-23 File Content Injection
CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
CAPEC-30 Hijacking a Privileged Thread of Execution
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-32 XSS Through HTTP Query Strings
CAPEC-33 HTTP Request Smuggling
CAPEC-34 HTTP Response Splitting
CAPEC-36 Using Unpublished APIs
CAPEC-40 Manipulating Writeable Terminal Devices
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-48 Passing Local Filenames to Functions That Expect a URL
CAPEC-49 Password Brute Forcing
CAPEC-59 Session Credential Falsification through Prediction
CAPEC-61 Session Fixation
CAPEC-62 Cross Site Request Forgery
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-66 SQL Injection
CAPEC-70 Try Common or Default Usernames and Passwords
CAPEC-83 XPath Injection
CAPEC-87 Forceful Browsing
CAPEC-89 Pharming
CAPEC-94 Man in the Middle Attack
CAPEC-100 Overflow Buffers
CAPEC-101 Server Side Include (SSI) Injection
CAPEC-102 Session Sidejacking
CAPEC-103 Clickjacking
CAPEC-104 Cross Zone Scripting
CAPEC-105 HTTP Request Splitting
CAPEC-107 Cross Site Tracing
CAPEC-108 Command Line Execution through SQL Injection
CAPEC-109 Object Relational Mapping Injection
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)
CAPEC-112 Brute Force
CAPEC-115 Authentication Bypass
CAPEC-120 Double Encoding
CAPEC-122 Privilege Abuse
CAPEC-124 Shared Data Manipulation
CAPEC-127 Directory Indexing
CAPEC-128 Integer Attacks
CAPEC-129 Pointer Manipulation
CAPEC-130 Excessive Allocation
CAPEC-131 Resource Leak Exposure
CAPEC-132 Symlink Attack
CAPEC-133 Try All Common Switches
CAPEC-134 Email Injection
CAPEC-135 Format String Injection
CAPEC-137 Parameter Injection
CAPEC-138 Reflection Injection
CAPEC-139 Relative Path Traversal
CAPEC-140 Bypassing of Intermediate Forms in Multiple-Form Sets
CAPEC-142 DNS Cache Poisoning
CAPEC-145 Checksum Spoofing
CAPEC-148 Content Spoofing
CAPEC-149 Explore for Predictable Temporary File Names
CAPEC-150 Collect Data from Common Resource Locations
CAPEC-151 Identity Spoofing
CAPEC-153 Input Data Manipulation
CAPEC-154 Resource Location Spoofing
CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-158 Sniffing Network Traffic
CAPEC-160 Exploit Script-Based APIs
CAPEC-162 Manipulating Hidden Fields
CAPEC-163 Spear Phishing
CAPEC-165 File Manipulation
CAPEC-166 Force the System to Reset Values
CAPEC-168 Windows ::DATA Alternate Data Stream
CAPEC-170 Web Application Fingerprinting
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-182 Flash Injection
CAPEC-183 IMAP/SMTP Command Injection
CAPEC-187 Malicious Automated Software Update
CAPEC-191 Read Sensitive Strings Within an Executable
CAPEC-193 PHP Remote File Inclusion
CAPEC-195 Principal Spoof
CAPEC-197 XML Entity Expansion
CAPEC-198 XSS Targeting Error Pages
CAPEC-200 Removal of filters: Input filters, output filters, data masking
CAPEC-201 XML Entity Blowup
CAPEC-203 Manipulate Application Registry Values
CAPEC-206 Lifting signing key and signing malicious code from a production environment
CAPEC-208 Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
CAPEC-219 XML Routing Detour Attacks
CAPEC-221 XML External Entities
CAPEC-222 iFrame Overlay
CAPEC-228 DTD Injection
CAPEC-229 XML Attribute Blowup
CAPEC-234 Hijacking a privileged process
CAPEC-236 Catching exception throw/signal from privileged block
CAPEC-237 Calling Signed Code From Another Language Within A Sandbox Allow This
CAPEC-247 XSS Using Invalid Characters
CAPEC-250 XML Injection
CAPEC-251 Local Code Inclusion
CAPEC-256 SOAP Array Overflow
CAPEC-273 HTTP Response Smuggling
CAPEC-275 DNS Rebinding
CAPEC-285 ICMP Echo Request Ping
CAPEC-294 ICMP Address Mask Request
CAPEC-295 ICMP Timestamp Request
CAPEC-296 ICMP Information Request
CAPEC-406 Dumpster Diving
CAPEC-407 Pretexting
CAPEC-410 Information Elicitation
CAPEC-412 Pretexting via Customer Service
CAPEC-413 Pretexting via Tech Support
CAPEC-414 Pretexting via Delivery Person
CAPEC-415 Pretexting via Phone
CAPEC-416 Manipulate Human Behavior
CAPEC-417 Influence Perception
CAPEC-418 Influence Perception of Reciprocation
CAPEC-420 Influence Perception of Scarcity
CAPEC-421 Influence Perception of Authority
CAPEC-422 Influence Perception of Commitment and Consistency
CAPEC-423 Influence Perception of Liking
CAPEC-424 Influence Perception of Consensus or Social Proof
CAPEC-425 Target Influence via Framing
CAPEC-426 Influence via Incentives
CAPEC-427 Influence via Psychological Principles
CAPEC-429 Target Influence via Eye Cues
CAPEC-463 Padding Oracle Crypto Attack
CAPEC-491 XML Quadratic Expansion
CAPEC-506 Tapjacking
CAPEC-546 Probe Application Memory
CAPEC-588 DOM-Based XSS
CAPEC-590 IP Address Blocking
CAPEC-591 Reflected XSS
CAPEC-592 Stored XSS
CAPEC-603 Blockage
CAPEC-604 Wi-Fi Jamming
CAPEC-610 Cellular Data Injection
CAPEC-611 BitSquatting
CAPEC-624 Fault Injection

Patterns Deprecated
CAPEC-404 DEPRECATED: Social Information Gathering Attacks
CAPEC-405 DEPRECATED: Social Information Gathering via Research
CAPEC-408 DEPRECATED: Information Gathering from Traditional Sources
CAPEC-409 DEPRECATED: Information Gathering from Non-Traditional Sources
CAPEC-419 DEPRECATED: Target Influence via Perception of Concession
Back to top

Category Changes

New Categories Added

Existing Categories Modified with Enhanced Material
CAPEC-118 Collect and Analyze Information
CAPEC-210 Abuse Existing Functionality
CAPEC-339 WASC-06 - Format String
CAPEC-340 WASC-07 - Buffer Overflow
CAPEC-342 WASC-09 - Cross-Site Request Forgery
CAPEC-344 WASC-11 - Brute Force
CAPEC-345 WASC-12 - Content Spoofing
CAPEC-351 WASC-18 - Credential/Session Prediction
CAPEC-357 WASC-24 - HTTP Request Splitting
CAPEC-358 WASC-25 - HTTP Response Splitting
CAPEC-359 WASC-26 - HTTP Request Smuggling
CAPEC-360 WASC-27 - HTTP Response Smuggling
CAPEC-361 WASC-28 - Null Byte Injection
CAPEC-362 WASC-29 - LDAP Injection
CAPEC-363 WASC-30 - Mail Command Injection
CAPEC-365 WASC-32 - Routing Detour
CAPEC-367 WASC-34 - Predictable Resource Location
CAPEC-368 WASC-35 - SOAP Array Abuse
CAPEC-371 WASC-38 - URL Redirector Abuse
CAPEC-374 WASC-41 - XML Attribute Blowup
CAPEC-375 WASC-42 - Abuse of Functionality
CAPEC-376 WASC-43 - XML External Entities
CAPEC-377 WASC-44 - XML Entity Expansion
CAPEC-378 WASC-45 - Fingerprinting
CAPEC-403 Social Engineering

Categories Deprecated
Back to top

View Changes

Views Added

Existing Views Modified with Enhanced Material

Views Deprecated
Back to top

Mapping Changes

CAPEC --> CWE Mappings Added
CAPEC-103 Clickjacking
  --> CWE-1021
CAPEC-115 Authentication Bypass
  --> CWE-287 Improper Authentication
CAPEC-506 Tapjacking
  --> CWE-1021

CAPEC --> CWE Mappings Removed
CAPEC-103 Clickjacking
  --> CWE-693 Protection Mechanism Failure
CAPEC-115 Authentication Bypass
  --> CWE-592 DEPRECATED: Authentication Bypass Issues
CAPEC-213 DEPRECATED: Directory Traversal
  --> CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  --> CWE-893 SFP Primary Cluster: Path Resolution
CAPEC-258 DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update
  --> CWE-311 Missing Encryption of Sensitive Data
CAPEC-259 DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Patching
  --> CWE-311 Missing Encryption of Sensitive Data
CAPEC-260 DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Initial Distribution
  --> CWE-311 Missing Encryption of Sensitive Data

CAPEC --> CAPEC Mappings Added

CAPEC --> CAPEC Mappings Removed
Back to top
More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017
 

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.