New to CAPEC? Start Here
Home > CAPEC List > Reports > Differences between 3.6 and 3.7 Content  

Differences between 3.6 and 3.7 Content


Total (3.7) (not including Deprecated) 572
Total (3.6) (not including Deprecated) 572
Attack Patterns
Existing Patterns Modified with Enhanced Material 160
Existing Categories Modified with Enhanced Material 1
CAPEC -> CAPEC Mappings
CAPEC -> CAPEC Mappings Removed 2

Summary of Entry Types

Type 3.6 3.7
Views 11 11
Categories 15 15
Attack Patterns 546 546
Deprecated 112 112

Attack Pattern Changes

New Patterns Added

Existing Patterns Modified with Enhanced Material
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-4 Using Alternative IP Address Encodings
CAPEC-8 Buffer Overflow in an API Call
CAPEC-9 Buffer Overflow in Local Command-Line Utilities
CAPEC-10 Buffer Overflow via Environment Variables
CAPEC-11 Cause Web Server Misclassification
CAPEC-12 Choosing Message Identifier
CAPEC-13 Subverting Environment Variable Values
CAPEC-17 Using Malicious Files
CAPEC-18 XSS Targeting Non-Script Elements
CAPEC-19 Embedding Scripts within Scripts
CAPEC-21 Exploitation of Trusted Identifiers
CAPEC-23 File Content Injection
CAPEC-32 XSS Through HTTP Query Strings
CAPEC-37 Retrieve Embedded Sensitive Data
CAPEC-44 Overflow Binary Resource File
CAPEC-45 Buffer Overflow via Symbolic Links
CAPEC-46 Overflow Variables and Tags
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-49 Password Brute Forcing
CAPEC-50 Password Recovery Exploitation
CAPEC-51 Poison Web Service Registry
CAPEC-52 Embedding NULL Bytes
CAPEC-53 Postfix, Null Terminate, and Backslash
CAPEC-55 Rainbow Table Password Cracking
CAPEC-57 Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
CAPEC-66 SQL Injection
CAPEC-67 String Format Overflow in syslog()
CAPEC-72 URL Encoding
CAPEC-77 Manipulating User-Controlled Variables
CAPEC-78 Using Escaped Slashes in Alternate Encoding
CAPEC-79 Using Slashes in Alternate Encoding
CAPEC-83 XPath Injection
CAPEC-85 AJAX Footprinting
CAPEC-86 XSS Through HTTP Headers
CAPEC-94 Adversary in the Middle (AiTM)
CAPEC-104 Cross Zone Scripting
CAPEC-107 Cross Site Tracing
CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)
CAPEC-112 Brute Force
CAPEC-114 Authentication Abuse
CAPEC-115 Authentication Bypass
CAPEC-121 Exploit Non-Production Interfaces
CAPEC-122 Privilege Abuse
CAPEC-131 Resource Leak Exposure
CAPEC-132 Symlink Attack
CAPEC-134 Email Injection
CAPEC-151 Identity Spoofing
CAPEC-153 Input Data Manipulation
CAPEC-157 Sniffing Attacks
CAPEC-159 Redirect Access to Libraries
CAPEC-162 Manipulating Hidden Fields
CAPEC-164 Mobile Phishing
CAPEC-166 Force the System to Reset Values
CAPEC-174 Flash Parameter Injection
CAPEC-179 Calling Micro-Services Directly
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-183 IMAP/SMTP Command Injection
CAPEC-185 Malicious Software Download
CAPEC-186 Malicious Software Update
CAPEC-187 Malicious Automated Software Update via Redirection
CAPEC-189 Black Box Reverse Engineering
CAPEC-191 Read Sensitive Constants Within an Executable
CAPEC-192 Protocol Analysis
CAPEC-195 Principal Spoof
CAPEC-197 Exponential Data Expansion
CAPEC-198 XSS Targeting Error Pages
CAPEC-199 XSS Using Alternate Syntax
CAPEC-200 Removal of filters: Input filters, output filters, data masking
CAPEC-202 Create Malicious Client
CAPEC-204 Lifting Sensitive Data Embedded in Cache
CAPEC-206 Signing Malicious Code
CAPEC-209 XSS Using MIME Type Mismatch
CAPEC-215 Fuzzing for application mapping
CAPEC-217 Exploiting Incorrectly Configured SSL/TLS
CAPEC-220 Client-Server Protocol Manipulation
CAPEC-226 Session Credential Falsification through Manipulation
CAPEC-227 Sustained Client Engagement
CAPEC-243 XSS Targeting HTML Attributes
CAPEC-244 XSS Targeting URI Placeholders
CAPEC-245 XSS Using Doubled Characters
CAPEC-247 XSS Using Invalid Characters
CAPEC-250 XML Injection
CAPEC-261 Fuzzing for garnering other adjacent user/sensitive data
CAPEC-267 Leverage Alternate Encoding
CAPEC-275 DNS Rebinding
CAPEC-285 ICMP Echo Request Ping
CAPEC-294 ICMP Address Mask Request
CAPEC-300 Port Scanning
CAPEC-301 TCP Connect Scan
CAPEC-303 TCP Xmas Scan
CAPEC-304 TCP Null Scan
CAPEC-308 UDP Scan
CAPEC-329 ICMP Error Message Quoting Probe
CAPEC-330 ICMP Error Message Echoing Integrity Probe
CAPEC-331 ICMP IP Total Length Field Probe
CAPEC-332 ICMP IP 'ID' Field Error Message Probe
CAPEC-398 Magnetic Strip Card Brute Force Attacks
CAPEC-399 Cloning RFID Cards or Chips
CAPEC-400 RFID Chip Deactivation or Destruction
CAPEC-402 Bypassing ATA Password Security
CAPEC-407 Pretexting
CAPEC-433 Target Influence via The Human Buffer Overflow
CAPEC-443 Malicious Logic Inserted Into Product Software by Authorized Developer
CAPEC-445 Malicious Logic Insertion into Product Software via Configuration Management Manipulation
CAPEC-446 Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency
CAPEC-458 Flash Memory Attacks
CAPEC-459 Creating a Rogue Certification Authority Certificate
CAPEC-460 HTTP Parameter Pollution (HPP)
CAPEC-462 Cross-Domain Search Timing
CAPEC-463 Padding Oracle Crypto Attack
CAPEC-464 Evercookie
CAPEC-465 Transparent Proxy Abuse
CAPEC-466 Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy
CAPEC-467 Cross Site Identification
CAPEC-468 Generic Cross-Browser Cross-Domain Theft
CAPEC-475 Signature Spoofing by Improper Validation
CAPEC-492 Regular Expression Exponential Blowup
CAPEC-494 TCP Fragmentation
CAPEC-504 Task Impersonation
CAPEC-511 Infiltration of Software Development Environment
CAPEC-516 Hardware Component Substitution During Baselining
CAPEC-517 Documentation Alteration to Circumvent Dial-down
CAPEC-518 Documentation Alteration to Produce Under-performing Systems
CAPEC-519 Documentation Alteration to Cause Errors in System Design
CAPEC-520 Counterfeit Hardware Component Inserted During Product Assembly
CAPEC-521 Hardware Design Specifications Are Altered
CAPEC-522 Malicious Hardware Component Replacement
CAPEC-523 Malicious Software Implanted
CAPEC-524 Rogue Integration Procedures
CAPEC-528 XML Flood
CAPEC-530 Provide Counterfeit Component
CAPEC-532 Altered Installed BIOS
CAPEC-533 Malicious Manual Software Update
CAPEC-534 Malicious Hardware Update
CAPEC-535 Malicious Gray Market Hardware
CAPEC-537 Infiltration of Hardware Development Environment
CAPEC-560 Use of Known Domain Credentials
CAPEC-565 Password Spraying
CAPEC-591 Reflected XSS
CAPEC-592 Stored XSS
CAPEC-593 Session Hijacking
CAPEC-600 Credential Stuffing
CAPEC-614 Rooting SIM Cards
CAPEC-644 Use of Captured Hashes (Pass The Hash)
CAPEC-652 Use of Known Kerberos Credentials
CAPEC-653 Use of Known Windows Credentials
CAPEC-654 Credential Prompt Impersonation
CAPEC-663 Exploitation of Transient Instruction Execution
CAPEC-665 Exploitation of Thunderbolt Protection Flaws
CAPEC-670 Software Development Tools Maliciously Altered
CAPEC-671 Requirements for ASIC Functionality Maliciously Altered
CAPEC-674 Design for FPGA Maliciously Altered
CAPEC-675 Retrieve Data from Decommissioned Devices

Patterns Deprecated

Category Changes

New Categories Added

Existing Categories Modified with Enhanced Material
CAPEC-437 Supply Chain

Categories Deprecated

View Changes

Views Added

Existing Views Modified with Enhanced Material

Views Deprecated

Mapping Changes

CAPEC --> CWE Mappings Added

CAPEC --> CWE Mappings Removed

CAPEC --> CAPEC Mappings Added

CAPEC --> CAPEC Mappings Removed
CAPEC-437 Supply Chain
Has Member   --> CAPEC-176 Configuration/Environment Manipulation
Has Member   --> CAPEC-441 Malicious Logic Insertion
More information is available — Please select a different filter.
Page Last Updated or Reviewed: February 22, 2022