New to CAPEC? Start Here
Home > CAPEC List > Reports > Differences between 3.3 and 3.4 Content  

Differences between 3.3 and 3.4 Content

Summary

Total (3.4) (not including Deprecated) 553
Total (3.3) (not including Deprecated) 582
Attack Patterns
New Patterns Added 4
Existing Patterns Modified with Enhanced Material 181
Patterns Deprecated 1
Categories
Existing Categories Modified with Enhanced Material 1
Categories Deprecated 34
Views
Views Added 2
Existing Views Modified with Enhanced Material 1
CAPEC -> CWE Mappings
CAPEC -> CWE Mappings Added 43
CAPEC -> CWE Mappings Removed 3
CAPEC -> CAPEC Mappings
CAPEC -> CAPEC Mappings Added 35
CAPEC -> CAPEC Mappings Removed 112

Summary of Entry Types

Type 3.3 3.4
Views 9 11
Categories 49 15
Attack Patterns 524 527
Deprecated 76 111

Back to top

Attack Pattern Changes

New Patterns Added
CAPEC-656 Voice Phishing
CAPEC-657 Malicious Automated Software Update via Spoofing
CAPEC-660 Root/Jailbreak Detection Evasion via Hooking
CAPEC-661 Root/Jailbreak Detection Evasion via Debugging

Existing Patterns Modified with Enhanced Material
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-7 Blind SQL Injection
CAPEC-10 Buffer Overflow via Environment Variables
CAPEC-13 Subverting Environment Variable Values
CAPEC-16 Dictionary-based Password Attack
CAPEC-17 Using Malicious Files
CAPEC-21 Exploitation of Trusted Identifiers
CAPEC-23 File Content Injection
CAPEC-25 Forced Deadlock
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-32 XSS Through HTTP Query Strings
CAPEC-33 HTTP Request Smuggling
CAPEC-34 HTTP Response Splitting
CAPEC-37 Retrieve Embedded Sensitive Data
CAPEC-44 Overflow Binary Resource File
CAPEC-48 Passing Local Filenames to Functions That Expect a URL
CAPEC-49 Password Brute Forcing
CAPEC-50 Password Recovery Exploitation
CAPEC-52 Embedding NULL Bytes
CAPEC-55 Rainbow Table Password Cracking
CAPEC-58 Restful Privilege Elevation
CAPEC-59 Session Credential Falsification through Prediction
CAPEC-61 Session Fixation
CAPEC-62 Cross Site Request Forgery
CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-66 SQL Injection
CAPEC-67 String Format Overflow in syslog()
CAPEC-68 Subvert Code-signing Facilities
CAPEC-70 Try Common or Default Usernames and Passwords
CAPEC-71 Using Unicode Encoding to Bypass Validation Logic
CAPEC-77 Manipulating User-Controlled Variables
CAPEC-83 XPath Injection
CAPEC-84 XQuery Injection
CAPEC-85 AJAX Footprinting
CAPEC-86 XSS Through HTTP Headers
CAPEC-87 Forceful Browsing
CAPEC-88 OS Command Injection
CAPEC-89 Pharming
CAPEC-90 Reflection Attack in Authentication Protocol
CAPEC-92 Forced Integer Overflow
CAPEC-94 Man in the Middle Attack
CAPEC-97 Cryptanalysis
CAPEC-98 Phishing
CAPEC-100 Overflow Buffers
CAPEC-101 Server Side Include (SSI) Injection
CAPEC-103 Clickjacking
CAPEC-105 HTTP Request Splitting
CAPEC-107 Cross Site Tracing
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CAPEC-112 Brute Force
CAPEC-113 Interface Manipulation
CAPEC-115 Authentication Bypass
CAPEC-116 Excavation
CAPEC-121 Exploit Non-Production Interfaces
CAPEC-122 Privilege Abuse
CAPEC-124 Shared Resource Manipulation
CAPEC-125 Flooding
CAPEC-126 Path Traversal
CAPEC-130 Excessive Allocation
CAPEC-131 Resource Leak Exposure
CAPEC-134 Email Injection
CAPEC-135 Format String Injection
CAPEC-136 LDAP Injection
CAPEC-139 Relative Path Traversal
CAPEC-141 Cache Poisoning
CAPEC-148 Content Spoofing
CAPEC-149 Explore for Predictable Temporary File Names
CAPEC-150 Collect Data from Common Resource Locations
CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-157 Sniffing Attacks
CAPEC-159 Redirect Access to Libraries
CAPEC-163 Spear Phishing
CAPEC-164 Mobile Phishing
CAPEC-166 Force the System to Reset Values
CAPEC-167 White Box Reverse Engineering
CAPEC-168 Windows ::DATA Alternate Data Stream
CAPEC-169 Footprinting
CAPEC-173 Action Spoofing
CAPEC-176 Configuration/Environment Manipulation
CAPEC-178 Cross-Site Flashing
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-183 IMAP/SMTP Command Injection
CAPEC-185 Malicious Software Download
CAPEC-186 Malicious Software Update
CAPEC-187 Malicious Automated Software Update via Redirection
CAPEC-193 PHP Remote File Inclusion
CAPEC-194 Fake the Source of Data
CAPEC-197 XML Entity Expansion
CAPEC-201 Serialized Data External Linking
CAPEC-206 Signing Malicious Code
CAPEC-209 XSS Using MIME Type Mismatch
CAPEC-215 Fuzzing for application mapping
CAPEC-219 XML Routing Detour Attacks
CAPEC-221 Data Serialization External Entities Blowup
CAPEC-224 Fingerprinting
CAPEC-227 Sustained Client Engagement
CAPEC-228 DTD Injection
CAPEC-229 Serialized Data Parameter Blowup
CAPEC-231 Oversized Serialized Data Payloads
CAPEC-233 Privilege Escalation
CAPEC-237 Escaping a Sandbox by Calling Code in Another Language
CAPEC-240 Resource Injection
CAPEC-242 Code Injection
CAPEC-248 Command Injection
CAPEC-250 XML Injection
CAPEC-251 Local Code Inclusion
CAPEC-252 PHP Local File Inclusion
CAPEC-253 Remote Code Inclusion
CAPEC-256 SOAP Array Overflow
CAPEC-261 Fuzzing for garnering other adjacent user/sensitive data
CAPEC-267 Leverage Alternate Encoding
CAPEC-268 Audit Log Manipulation
CAPEC-273 HTTP Response Smuggling
CAPEC-275 DNS Rebinding
CAPEC-279 SOAP Manipulation
CAPEC-287 TCP SYN Scan
CAPEC-292 Host Discovery
CAPEC-300 Port Scanning
CAPEC-301 TCP Connect Scan
CAPEC-302 TCP FIN Scan
CAPEC-303 TCP Xmas Scan
CAPEC-304 TCP Null Scan
CAPEC-305 TCP ACK Scan
CAPEC-306 TCP Window Scan
CAPEC-307 TCP RPC Scan
CAPEC-308 UDP Scan
CAPEC-309 Network Topology Mapping
CAPEC-383 Harvesting Information via API Event Monitoring
CAPEC-406 Dumpster Diving
CAPEC-407 Pretexting
CAPEC-422 Influence Perception of Commitment and Consistency
CAPEC-425 Target Influence via Framing
CAPEC-459 Creating a Rogue Certification Authority Certificate
CAPEC-460 HTTP Parameter Pollution (HPP)
CAPEC-461 Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
CAPEC-462 Cross-Domain Search Timing
CAPEC-463 Padding Oracle Crypto Attack
CAPEC-464 Evercookie
CAPEC-465 Transparent Proxy Abuse
CAPEC-466 Leveraging Active Man in the Middle Attacks to Bypass Same Origin Policy
CAPEC-467 Cross Site Identification
CAPEC-468 Generic Cross-Browser Cross-Domain Theft
CAPEC-469 HTTP DoS
CAPEC-470 Expanding Control over the Operating System from the Database
CAPEC-471 Search Order Hijacking
CAPEC-474 Signature Spoofing by Key Theft
CAPEC-480 Escaping Virtualization
CAPEC-486 UDP Flood
CAPEC-491 XML Quadratic Expansion
CAPEC-492 Regular Expression Exponential Blowup
CAPEC-497 File Discovery
CAPEC-499 Android Intent Intercept
CAPEC-501 Android Activity Hijack
CAPEC-505 Scheme Squatting
CAPEC-509 Kerberoasting
CAPEC-536 Data Injected During Configuration
CAPEC-537 Infiltration of Hardware Development Environment
CAPEC-543 Counterfeit Websites
CAPEC-545 Pull Data from System Resources
CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-564 Run Software at Logon
CAPEC-565 Password Spraying
CAPEC-568 Capture Credentials via Keylogger
CAPEC-580 System Footprinting
CAPEC-584 BGP Route Disabling
CAPEC-586 Object Injection
CAPEC-587 Cross Frame Scripting (XFS)
CAPEC-588 DOM-Based XSS
CAPEC-589 DNS Blocking
CAPEC-591 Reflected XSS
CAPEC-592 Stored XSS
CAPEC-593 Session Hijacking
CAPEC-600 Credential Stuffing
CAPEC-611 BitSquatting
CAPEC-624 Hardware Fault Injection
CAPEC-630 TypoSquatting
CAPEC-631 SoundSquatting
CAPEC-632 Homograph Attack via Homoglyphs
CAPEC-642 Replace Binaries
CAPEC-650 Upload a Web Shell to a Web Server
CAPEC-652 Use of Known Kerberos Credentials

Patterns Deprecated
CAPEC-214 DEPRECATED: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
Back to top

Category Changes

New Categories Added

Existing Categories Modified with Enhanced Material
CAPEC-210 Abuse Existing Functionality

Categories Deprecated
CAPEC-336 DEPRECATED: WASC-03 - Integer Overflows
CAPEC-338 DEPRECATED: WASC-05 - Remote File Inclusion
CAPEC-339 DEPRECATED: WASC-06 - Format String
CAPEC-340 DEPRECATED: WASC-07 - Buffer Overflow
CAPEC-341 DEPRECATED: WASC-08 - Cross-Site Scripting
CAPEC-342 DEPRECATED: WASC-09 - Cross-Site Request Forgery
CAPEC-343 DEPRECATED: WASC-10 - Denial of Service
CAPEC-344 DEPRECATED: WASC-11 - Brute Force
CAPEC-345 DEPRECATED: WASC-12 - Content Spoofing
CAPEC-351 DEPRECATED: WASC-18 - Credential/Session Prediction
CAPEC-352 DEPRECATED: WASC-19 - SQL Injection
CAPEC-356 DEPRECATED: WASC-23 - XML Injection
CAPEC-357 DEPRECATED: WASC-24 - HTTP Request Splitting
CAPEC-358 DEPRECATED: WASC-25 - HTTP Response Splitting
CAPEC-359 DEPRECATED: WASC-26 - HTTP Request Smuggling
CAPEC-360 DEPRECATED: WASC-27 - HTTP Response Smuggling
CAPEC-361 DEPRECATED: WASC-28 - Null Byte Injection
CAPEC-362 DEPRECATED: WASC-29 - LDAP Injection
CAPEC-363 DEPRECATED: WASC-30 - Mail Command Injection
CAPEC-364 DEPRECATED: WASC-31 - OS Commanding
CAPEC-365 DEPRECATED: WASC-32 - Routing Detour
CAPEC-366 DEPRECATED: WASC-33 - Path Traversal
CAPEC-367 DEPRECATED: WASC-34 - Predictable Resource Location
CAPEC-368 DEPRECATED: WASC-35 - SOAP Array Abuse
CAPEC-369 DEPRECATED: WASC-36 - SSI Injection
CAPEC-370 DEPRECATED: WASC-37 - Session Fixation
CAPEC-371 DEPRECATED: WASC-38 - URL Redirector Abuse
CAPEC-372 DEPRECATED: WASC-39 - XPath Injection
CAPEC-374 DEPRECATED: WASC-41 - XML Attribute Blowup
CAPEC-375 DEPRECATED: WASC-42 - Abuse of Functionality
CAPEC-376 DEPRECATED: WASC-43 - XML External Entities
CAPEC-377 DEPRECATED: WASC-44 - XML Entity Expansion
CAPEC-378 DEPRECATED: WASC-45 - Fingerprinting
CAPEC-379 DEPRECATED: WASC-46 - XQuery Injection
Back to top

View Changes

Views Added
CAPEC-658 ATT&CK Related Patterns
CAPEC-659 OWASP Related Patterns

Existing Views Modified with Enhanced Material
CAPEC-333 WASC Threat Classification 2.0

Views Deprecated
Back to top

Mapping Changes

CAPEC --> CWE Mappings Added
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
  --> CWE-1311 Improper Translation of Security Attributes by Fabric Bridge
  --> CWE-1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
  --> CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime
  --> CWE-1314 Missing Write Protection for Parametric Data Values
  --> CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point
  --> CWE-1318 Missing Support for Security Features in On-chip Fabrics or Buses
  --> CWE-1320 Improper Protection for Out of Bounds Signal Level Alerts
  --> CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  --> CWE-1326 Missing Immutable Root of Trust in Hardware
  --> CWE-1327 Binding to an Unrestricted IP Address
CAPEC-25 Forced Deadlock
  --> CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context
CAPEC-37 Retrieve Embedded Sensitive Data
  --> CWE-1330 Remanent Data Readable after Memory Erase
CAPEC-68 Subvert Code-signing Facilities
  --> CWE-1326 Missing Immutable Root of Trust in Hardware
CAPEC-77 Manipulating User-Controlled Variables
  --> CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CAPEC-113 Interface Manipulation
  --> CWE-1192 System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
CAPEC-121 Exploit Non-Production Interfaces
  --> CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime
CAPEC-122 Privilege Abuse
  --> CWE-1317 Missing Security Checks in Fabric Bridge
CAPEC-124 Shared Resource Manipulation
  --> CWE-1331 Improper Isolation of Shared Resources in Network On Chip
CAPEC-130 Excessive Allocation
  --> CWE-1325 Improperly Controlled Sequential Memory Allocation
CAPEC-150 Collect Data from Common Resource Locations
  --> CWE-1323 Improper Management of Sensitive Trace Data
  --> CWE-1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
  --> CWE-1330 Remanent Data Readable after Memory Erase
CAPEC-167 White Box Reverse Engineering
  --> CWE-1323 Improper Management of Sensitive Trace Data
  --> CWE-1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
  --> CWE-1311 Improper Translation of Security Attributes by Fabric Bridge
  --> CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime
  --> CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point
  --> CWE-1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
  --> CWE-1318 Missing Support for Security Features in On-chip Fabrics or Buses
  --> CWE-1320 Improper Protection for Out of Bounds Signal Level Alerts
  --> CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  --> CWE-1326 Missing Immutable Root of Trust in Hardware
CAPEC-215 Fuzzing for application mapping
  --> CWE-388 7PK - Errors
CAPEC-233 Privilege Escalation
  --> CWE-1311 Improper Translation of Security Attributes by Fabric Bridge
CAPEC-545 Pull Data from System Resources
  --> CWE-1323 Improper Management of Sensitive Trace Data
  --> CWE-1324 Sensitive Information Accessible by Physical Probing of JTAG Interface
  --> CWE-1330 Remanent Data Readable after Memory Erase
CAPEC-624 Hardware Fault Injection
  --> CWE-1319 Improper Protection against Electromagnetic Fault Injection (EM-FI)
  --> CWE-1332 Insufficient Protection Against Instruction Skipping Via Fault Injection
  --> CWE-1334 Unauthorized Error Injection Can Degrade Hardware Redundancy
CAPEC-657 Malicious Automated Software Update via Spoofing
  --> CWE-494 Download of Code Without Integrity Check
CAPEC-660 Root/Jailbreak Detection Evasion via Hooking
  --> CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CAPEC-661 Root/Jailbreak Detection Evasion via Debugging
  --> CWE-489 Active Debug Code

CAPEC --> CWE Mappings Removed
CAPEC-214 Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
  --> CWE-209 Generation of Error Message Containing Sensitive Information
  --> CWE-388 7PK - Errors
CAPEC-537 Infiltration of Hardware Development Environment
  --> CWE-125 Out-of-bounds Read

CAPEC --> CAPEC Mappings Added
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CanPrecede   --> CAPEC-17 Using Malicious Files
CAPEC-16 Dictionary-based Password Attack
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-17 Using Malicious Files
Has Child   --> CAPEC-122 Privilege Abuse
CAPEC-32 XSS Through HTTP Query Strings
Has Child   --> CAPEC-592 Stored XSS
CAPEC-49 Password Brute Forcing
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-50 Password Recovery Exploitation
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-55 Rainbow Table Password Cracking
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-58 Restful Privilege Elevation
Has Child   --> CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-63 Cross-Site Scripting (XSS)
CanPrecede   --> CAPEC-107 Cross Site Tracing
CAPEC-70 Try Common or Default Usernames and Passwords
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-85 AJAX Footprinting
Has Child   --> CAPEC-580 System Footprinting
CAPEC-86 XSS Through HTTP Headers
Has Child   --> CAPEC-592 Stored XSS
CAPEC-90 Reflection Attack in Authentication Protocol
Has Child   --> CAPEC-272 Protocol Manipulation
CAPEC-116 Excavation
CanPrecede   --> CAPEC-163 Spear Phishing
CAPEC-149 Explore for Predictable Temporary File Names
CanPrecede   --> CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-157 Sniffing Attacks
CanPrecede   --> CAPEC-652 Use of Known Kerberos Credentials
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CanPrecede   --> CAPEC-17 Using Malicious Files
CAPEC-185 Malicious Software Download
CanPrecede   --> CAPEC-94 Man in the Middle Attack
CAPEC-194 Fake the Source of Data
CanPrecede   --> CAPEC-657 Malicious Automated Software Update via Spoofing
CAPEC-215 Fuzzing for application mapping
Has Child   --> CAPEC-28 Fuzzing
CAPEC-228 DTD Injection
CanPrecede   --> CAPEC-197 XML Entity Expansion
CanPrecede   --> CAPEC-491 XML Quadratic Expansion
CAPEC-279 SOAP Manipulation
CanPrecede   --> CAPEC-110 SQL Injection through SOAP Parameter Tampering
CanPrecede   --> CAPEC-228 DTD Injection
CAPEC-406 Dumpster Diving
CanPrecede   --> CAPEC-163 Spear Phishing
CAPEC-407 Pretexting
CanPrecede   --> CAPEC-163 Spear Phishing
CAPEC-505 Scheme Squatting
Has Child   --> CAPEC-616 Establish Rogue Location
CAPEC-565 Password Spraying
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-568 Capture Credentials via Keylogger
CanPrecede   --> CAPEC-561 Windows Admin Shares with Stolen Credentials
CAPEC-656 Voice Phishing
Has Child   --> CAPEC-98 Phishing
CAPEC-657 Malicious Automated Software Update via Spoofing
Has Child   --> CAPEC-186 Malicious Software Update
CAPEC-660 Root/Jailbreak Detection Evasion via Hooking
Has Child   --> CAPEC-251 Local Code Inclusion
CAPEC-661 Root/Jailbreak Detection Evasion via Debugging
CanPrecede   --> CAPEC-68 Subvert Code-signing Facilities
Has Child   --> CAPEC-121 Exploit Non-Production Interfaces
CanPrecede   --> CAPEC-660 Root/Jailbreak Detection Evasion via Hooking

CAPEC --> CAPEC Mappings Removed
CAPEC-17 Using Malicious Files
Has Child   --> CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
Has Child   --> CAPEC-165 File Manipulation
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
Has Child   --> CAPEC-150 Collect Data from Common Resource Locations
CAPEC-58 Restful Privilege Elevation
Has Child   --> CAPEC-233 Privilege Escalation
CAPEC-85 AJAX Fingerprinting
Has Child   --> CAPEC-541 Application Fingerprinting
CAPEC-89 Pharming
CanFollow   --> CAPEC-89 Pharming
CanFollow   --> CAPEC-543 Counterfeit Websites
CanFollow   --> CAPEC-611 BitSquatting
CanFollow   --> CAPEC-630 TypoSquatting
CanFollow   --> CAPEC-631 SoundSquatting
CanFollow   --> CAPEC-632 Homograph Attack via Homoglyphs
CAPEC-90 Reflection Attack in Authentication Protocol
Has Child   --> CAPEC-220 Client-Server Protocol Manipulation
CAPEC-94 Man in the Middle Attack
CanFollow   --> CAPEC-185 Malicious Software Download
CAPEC-107 Cross Site Tracing
CanFollow   --> CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CanFollow   --> CAPEC-279 SOAP Manipulation
CAPEC-155 Screen Temporary Files for Sensitive Information
CanFollow   --> CAPEC-149 Explore for Predictable Temporary File Names
CAPEC-163 Spear Phishing
CanFollow   --> CAPEC-116 Excavation
CanFollow   --> CAPEC-406 Dumpster Diving
CanFollow   --> CAPEC-407 Pretexting
CAPEC-197 XML Entity Expansion
CanFollow   --> CAPEC-228 DTD Injection
CAPEC-214 Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping
Has Child   --> CAPEC-54 Query System for Information
CAPEC-228 DTD Injection
CanFollow   --> CAPEC-279 SOAP Manipulation
CAPEC-237 Escaping a Sandbox by Calling Signed Code in Another Language
Has Child   --> CAPEC-68 Subvert Code-signing Facilities
CAPEC-333 WASC Threat Classification 2.0
Has Member   --> CAPEC-336 DEPRECATED: WASC-03 - Integer Overflows
Has Member   --> CAPEC-338 DEPRECATED: WASC-05 - Remote File Inclusion
Has Member   --> CAPEC-339 DEPRECATED: WASC-06 - Format String
Has Member   --> CAPEC-340 DEPRECATED: WASC-07 - Buffer Overflow
Has Member   --> CAPEC-341 DEPRECATED: WASC-08 - Cross-Site Scripting
Has Member   --> CAPEC-342 DEPRECATED: WASC-09 - Cross-Site Request Forgery
Has Member   --> CAPEC-343 DEPRECATED: WASC-10 - Denial of Service
Has Member   --> CAPEC-344 DEPRECATED: WASC-11 - Brute Force
Has Member   --> CAPEC-345 DEPRECATED: WASC-12 - Content Spoofing
Has Member   --> CAPEC-351 DEPRECATED: WASC-18 - Credential/Session Prediction
Has Member   --> CAPEC-352 DEPRECATED: WASC-19 - SQL Injection
Has Member   --> CAPEC-356 DEPRECATED: WASC-23 - XML Injection
Has Member   --> CAPEC-357 DEPRECATED: WASC-24 - HTTP Request Splitting
Has Member   --> CAPEC-358 DEPRECATED: WASC-25 - HTTP Response Splitting
Has Member   --> CAPEC-359 DEPRECATED: WASC-26 - HTTP Request Smuggling
Has Member   --> CAPEC-360 DEPRECATED: WASC-27 - HTTP Response Smuggling
Has Member   --> CAPEC-361 DEPRECATED: WASC-28 - Null Byte Injection
Has Member   --> CAPEC-362 DEPRECATED: WASC-29 - LDAP Injection
Has Member   --> CAPEC-363 DEPRECATED: WASC-30 - Mail Command Injection
Has Member   --> CAPEC-364 DEPRECATED: WASC-31 - OS Commanding
Has Member   --> CAPEC-365 DEPRECATED: WASC-32 - Routing Detour
Has Member   --> CAPEC-366 DEPRECATED: WASC-33 - Path Traversal
Has Member   --> CAPEC-367 DEPRECATED: WASC-34 - Predictable Resource Location
Has Member   --> CAPEC-368 DEPRECATED: WASC-35 - SOAP Array Abuse
Has Member   --> CAPEC-369 DEPRECATED: WASC-36 - SSI Injection
Has Member   --> CAPEC-370 DEPRECATED: WASC-37 - Session Fixation
Has Member   --> CAPEC-371 DEPRECATED: WASC-38 - URL Redirector Abuse
Has Member   --> CAPEC-372 DEPRECATED: WASC-39 - XPath Injection
Has Member   --> CAPEC-374 DEPRECATED: WASC-41 - XML Attribute Blowup
Has Member   --> CAPEC-375 DEPRECATED: WASC-42 - Abuse of Functionality
Has Member   --> CAPEC-376 DEPRECATED: WASC-43 - XML External Entities
Has Member   --> CAPEC-377 DEPRECATED: WASC-44 - XML Entity Expansion
Has Member   --> CAPEC-378 DEPRECATED: WASC-45 - Fingerprinting
Has Member   --> CAPEC-379 DEPRECATED: WASC-46 - XQuery Injection
CAPEC-336 WASC-03 - Integer Overflows
Has Member   --> CAPEC-92 Forced Integer Overflow
CAPEC-338 WASC-05 - Remote File Inclusion
Has Member   --> CAPEC-253 Remote Code Inclusion
CAPEC-340 WASC-07 - Buffer Overflow
Has Member   --> CAPEC-100 Overflow Buffers
CAPEC-341 WASC-08 - Cross-Site Scripting
Has Member   --> CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-342 WASC-09 - Cross-Site Request Forgery
Has Member   --> CAPEC-62 Cross Site Request Forgery
CAPEC-343 WASC-10 - Denial of Service
Has Member   --> CAPEC-125 Flooding
Has Member   --> CAPEC-130 Excessive Allocation
Has Member   --> CAPEC-131 Resource Leak Exposure
Has Member   --> CAPEC-227 Sustained Client Engagement
CAPEC-344 WASC-11 - Brute Force
Has Member   --> CAPEC-112 Brute Force
CAPEC-345 WASC-12 - Content Spoofing
Has Member   --> CAPEC-148 Content Spoofing
CAPEC-351 WASC-18 - Credential/Session Prediction
Has Member   --> CAPEC-59 Session Credential Falsification through Prediction
CAPEC-352 WASC-19 - SQL Injection
Has Member   --> CAPEC-66 SQL Injection
CAPEC-356 WASC-23 - XML Injection
Has Member   --> CAPEC-250 XML Injection
CAPEC-357 WASC-24 - HTTP Request Splitting
Has Member   --> CAPEC-105 HTTP Request Splitting
CAPEC-358 WASC-25 - HTTP Response Splitting
Has Member   --> CAPEC-34 HTTP Response Splitting
CAPEC-359 WASC-26 - HTTP Request Smuggling
Has Member   --> CAPEC-33 HTTP Request Smuggling
CAPEC-360 WASC-27 - HTTP Response Smuggling
Has Member   --> CAPEC-273 HTTP Response Smuggling
CAPEC-361 WASC-28 - Null Byte Injection
Has Member   --> CAPEC-52 Embedding NULL Bytes
CAPEC-362 WASC-29 - LDAP Injection
Has Member   --> CAPEC-136 LDAP Injection
CAPEC-363 WASC-30 - Mail Command Injection
Has Member   --> CAPEC-134 Email Injection
CAPEC-364 WASC-31 - OS Commanding
Has Member   --> CAPEC-88 OS Command Injection
CAPEC-365 WASC-32 - Routing Detour
Has Member   --> CAPEC-219 XML Routing Detour Attacks
CAPEC-366 WASC-33 - Path Traversal
Has Member   --> CAPEC-126 Path Traversal
CAPEC-367 WASC-34 - Predictable Resource Location
Has Member   --> CAPEC-87 Forceful Browsing
CAPEC-368 WASC-35 - SOAP Array Abuse
Has Member   --> CAPEC-256 SOAP Array Overflow
CAPEC-369 WASC-36 - SSI Injection
Has Member   --> CAPEC-101 Server Side Include (SSI) Injection
CAPEC-370 WASC-37 - Session Fixation
Has Member   --> CAPEC-61 Session Fixation
CAPEC-371 WASC-38 - URL Redirector Abuse
Has Member   --> CAPEC-194 Fake the Source of Data
CAPEC-374 WASC-41 - XML Attribute Blowup
Has Member   --> CAPEC-229 Serialized Data Parameter Blowup
CAPEC-375 WASC-42 - Abuse of Functionality
Has Member   --> CAPEC-210 Abuse Existing Functionality
CAPEC-376 WASC-43 - XML External Entities
Has Member   --> CAPEC-221 Data Serialization External Entities Blowup
CAPEC-377 WASC-44 - XML Entity Expansion
Has Member   --> CAPEC-197 XML Entity Expansion
Has Member   --> CAPEC-219 XML Routing Detour Attacks
CAPEC-378 WASC-45 - Fingerprinting
Has Member   --> CAPEC-224 Fingerprinting
CAPEC-379 WASC-46 - XQuery Injection
Has Member   --> CAPEC-84 XQuery Injection
CAPEC-491 XML Quadratic Expansion
CanFollow   --> CAPEC-228 DTD Injection
CAPEC-505 Scheme Squatting
Has Child   --> CAPEC-173 Action Spoofing
CAPEC-543 Counterfeit Websites
CanFollow   --> CAPEC-98 Phishing
CanFollow   --> CAPEC-611 BitSquatting
CanFollow   --> CAPEC-630 TypoSquatting
CanFollow   --> CAPEC-631 SoundSquatting
CanFollow   --> CAPEC-632 Homograph Attack via Homoglyphs
CAPEC-561 Windows Admin Shares with Stolen Credentials
CanFollow   --> CAPEC-16 Dictionary-based Password Attack
CanFollow   --> CAPEC-49 Password Brute Forcing
CanFollow   --> CAPEC-50 Password Recovery Exploitation
CanFollow   --> CAPEC-55 Rainbow Table Password Cracking
CanFollow   --> CAPEC-70 Try Common or Default Usernames and Passwords
CanFollow   --> CAPEC-565 Password Spraying
CanFollow   --> CAPEC-568 Capture Credentials via Keylogger
CAPEC-611 BitSquatting
CanFollow   --> CAPEC-98 Phishing
CAPEC-630 TypoSquatting
CanFollow   --> CAPEC-98 Phishing
CAPEC-631 SoundSquatting
CanFollow   --> CAPEC-98 Phishing
CAPEC-632 Homograph Attack via Homoglyphs
CanFollow   --> CAPEC-98 Phishing
CAPEC-652 Use of Known Kerberos Credentials
CanFollow   --> CAPEC-157 Sniffing Attacks
Back to top
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020
 

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. CAPEC is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2007–2024, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.